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Offensive Python ? 


Network Pivoting 


Talk Overview 


e VolP Basics 
— SIP, RTP 
— Secure: TLS, SRTP 


e Recovering/Decrypting VoIP Calls 


e Current open source tools and issues 


e VolPShark 
— Architecture and Internals 
— Analyzing VoIP Traffic 
— Recovering Calls 
— Detecting Attacks Passively 
— Demo 
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VolP Telephony 


* Signalling + Media 


SIP Server 
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Signalling Protocols 


SIP (Session Initiation Protocol) 
* Developed by the IETF 


Replacement for the desk phones and PSTN (Public Switched Telephone Network) 


H.323 
e Created by the ITU-T 


* Focused on videoconferencing but also used for voice calls 


SCCP (Skinny) 


e Cisco proprietary protocol used for line-side control of phones 
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Session Initiation Protocol 


Text-based protocol 

Applications 

— Calls (audio, video) using other media steams like RTP 

— Text messages using SIP “Message” method 

Works with other protocols 

Session Description Protocol (SDP) to define with media negotiation and setup 
Can operate over TCP, UDP or SCTP (Stream Control Transmission Protocol) 


Security is provided by TLS (Transport Layer Security ) i.e. SIP over TLS. 
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SUBSCRIBE, PUBLISH and NOTIFY 


em ES 
— q E 


User/Device Subscription Broker Service 
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Session Initiation Protocol: Sample Call Flow 


INVITE 


100 Trying 


180 Ringing 


200 OK 


ACK — — — > 


«4— — media ——— be 


BYE 


200 OK 
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User Agent Server (UAS) Solutions 


$B siPfoundnj 


open source communit y 


www.sipfoundry.org 
SUK 


© elastix B FreeSWITCH 


Asterisk 


www.asterisk.or 


FREEDOM TO COMMUNICATE 


freeswitch.org 
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Softphone clients 


* Program for making telephone calls over IP 
* Some options 


— Zoiper 
| Lite i i 
— X Lite www.microsip.org 
— LinPhone | | 
| www.counterpath.com/x-lite-download WWw.zoiper.com 
— MicroSIP 


Factors in choosing a good softphone client 
e 


Check codec support 


Check encryption capabilities (Especially in free versions) 


* Other functionalities (i.e. Text message option, hold, waiting € 


www.linphone. Org 3Q È 


WWW.3cx.com 
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Asterisk 
ho -— = + 


Y FreePBX. 
a let freedom ring” 
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Bob 
User ID: 1111 
Password: abc 123321 


Scenario 


Asterisk Now Server 


Alice 
User ID: 2222 
Password: 123321 


192.168.20.132 


192.168.20.130 
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192.168.20.1 


Possible Configurations 


* “SIF + RIP 


e SIP over TLS + RTP 


* SIP +SRTP 


e SIP over TLS + SRTP 
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Possible Configurations 


e SIP+RTP 


e SIP over TLS + RTP 


* SIP +SRTP 


e SIP over TLS + SRTP 
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SIP/SDP Packets 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4T LOLAND» 5Ε ξ Φ[Ξ|Ξ 44“ 


A Y | Expression... | + 


Time Source Destination Protocol Length Ta Info 
34 17.478218 192.168.20.132 192.168.20.130 SIP/SDP 1374 Request: INVITE sip:22220192.168.20.130 | 
37 17.598013 192.168.20.130 192.168.20.1 SIP/SDP 1089 Request: INVITE sip:22220192.168.20.1:52987;ob | 
71 22.145095 192.168.20.1 192.168.20.130  SIP/SDP 1014 Status: 200 OK 
74 22.150650 192.168.20.130 192.168.20.132  SIP/SDP 1046 Status: 200 OK | 
78 22.158359 192.168.20.132 92.168.20.130  SIP/SDP 919 Request: UPDATE sip:192.168.20.130:5060 | 


Frame 71: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits) 
Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware f8:0d:44 (00:0c:29:f8:0d:44) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 52987, Dst Port: 5060 
Session Initiation Protocol (200) 
> Status-Line: SIP/2.0 200 OK 
> Message Header 
Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): 0 
> Owner/Creator, Session Id (0): - 3731351734 3731351735 IN IP4 192.168.5.103 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 0 
> Session Attribute (a): X-nat:0 
> Media Description, name and address (m): audio 4000 RTP/AVP e 101 
> Connection Information (c): IN IPA 192.168.5.103 
» Bandwidth Information (b): TIAS:64000 
| Media attribute (s): PECpid001 IN IPA 192.168.5.103 - 
Media Attribute (a): sendrecv 
> Media Attribute : rtpmap:@ 
> Media Attribute : rtpmap:101 telephone-event/8000 


File 


Edit 


View Go 


Capture 


Analyze 


RTCP Packets 


Statistics 


Telephony 


Wireless 


Tools 


sornRaAqesETaABjE aaa E 


Help 


Time 
2170 32.479679 
3108 37.158822 
3109 37.158934 
3136 37.287057 
3207 37.640101 


Source 
192.168.20.1 
192.168.20.130 
192.168.20.130 
192.168.20.132 
192.168.20.1 


Destination 
192.168.20.130 
192.168.20.1 
192.168.20.132 
192.168.20.130 
192.168.20.130 


Protocol 


Length 
122 


Ta Info 
Sender 
Sender 
Sender 
Sender 
Sender 


Report 
Report 
Report 
Report 


Source description 
Source description 
Source description 
Source description 
Source description 


Frame 3108: 106 bytes on wire (848 bits), 106 bytes captu sed (848 bits) 
Ethernet II, Src: Vmware_f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware_c0:00:08 (00:50:56:c0:00:08) 


Internet Protocol Version 4, Src: 192.168.206.130, Dst: 192.168.20.1 


User Datagram Protocol, Src Port: 15675, Dst Port: 4001 
Real-time Transport Control Protocol (Sender Report) 


[Stream setup by SDP (frame 37)] 


10.. 
«-ϱ- 


.0 00061 


.... = Version: RFC 1889 Version (2) 
.... = Padding: False 
= Source count: 1 


Packet type: Source description (202) 
Length: 2 (12 bytes) 
Chunk 1, SSRC/CSRC 0x3C988166 


Identifier: 0x3c988166 (1016627558) 


4 


SDES items 


Type: CNAME (user and domain) (1) 


Length: O 


Type: END (0) 
[RTCP frame length check: OK - 64 bytes] 
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RTP Packets 


4 Complete_normal_call.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


“πσθι Τ Β Ὁ 4 eos: q Q Q E 


No. Time Source Destination Protocol Length Ta Info 

| 3103 37.140222 192.168.20.1 192.168.20.130 RTP 214 PT=ITU-T G.711 PCMU, SSRC=0x294823, Seq=5909, Time=120000 

i 3104 37.141062 192.168.290.130 192.168.20.132 RTP 214 PT=ITU-T G.711 PCMU, SSRC=@xAFD8AB5, Seq=21275, Time=120000 

| 3165 37.143728 192.168.20.132 192.168.20.130 RTP 214 PT=ITU-T 6.711 PCMU, SSRC=0x43572C47, Seq=30108, Time=120000 
3106 37.144098 192.168.20.130 192.168.20.1 RTP 214 PT=ITU-T G.711 PCMU, SSRC=0x3C988166, Seq=26401, Time=120000 

| 3110 37.160340 192.168.20.1 192.168.20.130 RTP 214 PT=ITU-T G.711 PCMU, SSRC-0x294823, Seq-5910, Time=120160 


Frame 3106: 214 bytes on wire (1712 bits), 214 bytes caplyred (1712 bits) 
Ethernet II, Src: Vmware f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
User Datagram Protocol, Src Port: 15674, Dst Port: 4000 
4 Real-Time Transport Protocol 
[Stream setup by SDP (frame 37)] 
- Version: RFC 1889 Version (2) 
Padding: False 
Extension: False 
Contributing source identifiers count: 0 
— Marker: False 
Payload type: ITU-T G.711 PCMU (0) 
Sequence number: 26401 
[Extended sequence number: 91937] 
Timestamp: 120000 
Synchronization Source identifier: @x3c988166 (1016627558) 
Payload: 5f5f606265696b6c6e70777b7d7d7e7d7a797efaf8fb7e7d... 
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Start Time Stop Time Initial Speaker From 


Recovered VolP Calls 


Protocol Duration Packets State Comments 


[ | Time of Day 
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Time 


17.478218 
17.485438 
17.597307 
17.598013 
17.603920 
17.604301 
17.605610 
22.145095 
22.148286 
22.150650 
22.156664 
22.158359 
22.160190 
22.160191 
22.161608 
22.161703 
22.162308 
38.751436 
38.752328 


Flow Sequence 


192.168.20.132 192.168.20.1 
192.168.20.130 


59655 INVITE SDP (opus g711A g711U telephon.,! ogg 


Comment 


SIP INVITE From: <sip:1111@192.168.20.130 To:... 


58655 pe— 100 Trying 50θρ SIP Status 100 Trying 


Ι 
| 
| 
58655 Do s80 Ringing | 5060 SIP Status 180 Ringing 


5060 SDP (9711U g711A GSM 6726-32 t. 52987 SIP INVITE From: "Bob" <sip:1111@192.168.20.1... 


5060 πό | 52987 SIP Status 100 Trying 


| 
5060 180 Ringing | 52987 SIP Status 180 Ringing 
| 


58655 jo 80 Ringing 5060 | SIP Status 180 Ringing 
5060 | 200 OK SDP (9711U telephone-event) | 52987 SIP Status 200 OK 


5060 we | 52987 SIP Request INVITE ACK 200 CSeq:28747 


58655 Lon OK SDP (g711U g711A mel 5060 


| SIP Status 200 OK 
58655 LACK si 5060 SIP Request INVITE ACK 200 CSeq:20778 
58655 | UPDATE SDP (g711U telephone-event) (| 5060 SIP UPDATE From: <sip:1111@192.168.20.130 To.. 
15674 L απ | 4000 RTP, 830 packets. Duration: 16.581s SSRC: 0x294... 


4000 U Reno | 16912 


58655 | 200 OK SDP (g711U telephone-event) | 5060 


| 
4000 | eri 16912 


| 
RTP, 830 packets. Duration: 16.581s SSRC: OxAFD.. 


SIP Status 200 OK 


RTP, 830 packets. Duration: 16.588s SSRC: 0x435... 


58655 RE SIP Request BYE CSeq:20780 


200 OK 


58655 MAMMA 5060 SIP Status 200 OK 


| 
| 
| 
| 
| 
15674 RTP (g711U | 4000 RTP, 830 packets. Duration: 16.5895 SSRC: Ox3C9... 
| 
| 
l 
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Reconstructed Call 


22.5 25 27.5 30 32.5 37.5 


Destination Port SSRC Setup Frafe Packets Time Span (s) Sample Rate (Hz) Payloads 
16912 0x43572c47 78 830 22.2 - 38.8 (16.6) 8000 g711U 
4000 Ox0afd8ab5 78 830 22.2 - 38.7 (16.6) 8000 g711U 


Source Address Source Port Destination Address 


192.168.20.132 4000 192.168.20.130 
192.168.20.130 16912 192.168.20.132 


Output Device: Speakers (Realtek High Definition Audio) 


Playback Timing: Jitter Buffer [ | Time of Day 
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Possible Configurations 


* “SIF + RIP 


e SIP over TLS + RTP 


e SIP + SRTP 


e SIP over TLS + SRTP 


©PentesterAcademy.com 


SRTP key in SDP packet 


Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


αθΘ!κ RES en Er aaa a E 


-E 
Time Source Destination Protocol Length Ta Info 


128 27.128753 192.168.20.132 192.168.20.130  SIP/SDP 278 Request: INVITE sip:22220192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:2222@192.168.20.1:60168;ob | 


178 29.314263 192.168.20.130 192.168.20.132 SIP/SDP 1131 Status: 200 OK | 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
Session Initiation Protocol (200) 

Status-Line: SIP/2.0 200 OK 

> Message Header 
4 Message Body 

4 Session Description Protocol 

Session Description Protocol Version (v): e 
> Owner/Creator, Session Id (ο): - 3730471310 3730471311 IN IPA 192.168.5.114 

Session Name (s): pjmedia 

Bandwidth Information (b): AS:84 

Time Description, active time (t): 0 0 

Session Attribute (a): X-nat:0 
> Media Description, name and address (m): audio 4000 RTP/SAVP 6 101 
> Connection Information (c): IN IP4 192.168.5.114 
` Bandwidth Information (b): TIAS:64000 
> Media Attribute (a): rtcp:4001 IN IPA 192.168.5.114 

Media Attribute (a): sendrecv 
> Media Attribute (a): rtpmap:@ PCMU/8000 
> Media Attribute (a): rtpmap:101 telephone-event/8000 
> Media Attribute (a): fmtp:101 0-16 
> Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 
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SRTP Traffic 


Normal Call two parties.pcap 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


á 


H 


EsornrRASesEtTAElcaarF 


Time Source Destination Protocol 


— —ÀÓ— — — MÀ — me ne H 


|== 


Info 


Expression... + torrent ceanup_own_ssid cleanup_probe 


5 29.354843 192.168.208. 192.168.20.130 SRTP 
29.355005 192.168.20.130 192.168.20.1 SRTP 
29.372665 192.168.20. 192.168.20. SRTP 
29.372952 192.168.20. 192.168.20. SRTP 
29.375160 192.168.20. 192.168.20. SRTP 

200 29.375356 192.168.20. 192.168.20. SRTP 
204 29.393539 192.168.20. 192.168.20. SRTP 
205 29.393821 192.168.20. 192.168.20. SRTP 
206 29.395768 192.168.20. 192.168.20. SRTP 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


SSRC=0x15BD2F81, 
, SSRC=0x4EFA778B, 
SSRC-0x399071D5, 
SSRC-0x60542655, 
SSRC-0x15BD2F81, 
SSRC=0x4EFA778B, 
SSRC-0x399071D5, 
SSRC=0x60542655, 


SSRC=0x15BD2F81, 


Seg=15576, Time=320 | 
Seq=4650, Time=320 
Seq=25653, Time=640 
Seq-16570, Time=640 
Seq=15577, Time=480 
Seq=4651, Time=480 
Seq=25654, Time=800 
Seq=16571, Time=800 
Seq=15578, Time=640 


Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 17786 

Real-Time Transport Protocol 
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A 


Encrypted Call 


Wireshark - RTP Player 


o Jitter Drops 
ο Wrong Timestamps 


Inserted Silence 


31.5 33 34.5 36 37.5 39 


Source Address Source Port Destination Address Destination Port SSRC Setup Frame Packets Time Span (5) Sample Rate (Hz) Payloads 


192.168.20.132 4000 192.168.20.130 17786 0x15bd2f81 182 516 29.3 - 39.7 (10.4) 8000 g711U 
192.168.20.130 17786 192.168.20.132 4000 0x60542655 182 520 29.3 - 39.7 (10.4) 8000 g711U 


> E Output Device: Speakers (Realtek High Definition Audio) ~ 


Jitter Buffer: 50 5 Playback Timing: Jitter Buffer I Time of Day 
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Possible Configurations 


* “SIF + RTP 


e SIP over TLS + RTP 


* SIP +SRTP 


e SIP over TLS + SRTP 
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File 


LI 
No. 


κ 


Edit 


No SIP Traffic 


Capture  Analyze Statistics  Telephony 


View Go 
OLARDI sFH 


Wireless Tools Help 


CHE 


Protocol Length 


Ta Info 
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TLS Traffic (SIP over TLS) 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A m : 9 i €SeEq6s»95:$9-—-2aqa««tX 


No. Time As Source Destination Protocol Length Ta Info A 
.011835 192.168.20.132 .168.20.130 TLSvl 253 Client Hello 

.016672 192.168.20.130 .168.20.132 TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell. 
.020041 192.168.20.132 .168.20.130  TLSvi 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
.020930 192.168.20.130 .168.20.132 TLSv1 364 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 

.021214 192.168.20.132 .168.20.130 TLSv1 784 Application Data, Application Data 

«621727 192.168.20.130 .168.20.132 TLSv1 688 Application Data, Application Data 

.022063 192.168.20.132 .168.20.130  TLSvi 1088 Application Data, Application Data 

«625192 192.168.20.130 .168.20.132  TLSv1 656 Application Data, Application Data 

.076523 192.168.20.130 .168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Data 

.076842 192.168.20.132 .168.20.130 TLSv1 928 Application Data, Application Data 

.117462 192.168.20.132 .168.20.130  TLSv1 512 Application Data, Application Data 


10 
11 
12 
14 
15 
17 


o o o o o o o o o o o 


Frame 4: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49484, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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No RTP Traffic 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


AmAGrTRBRes EF = RARE 
N 


Protocol Length Ta Info 
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Why No RTP Traffic? 


* Wireshark uses SDP packet to figure out the port RTP/SRTP stream will use. 


* SIP and SDP are encrypted, so wireshark can't figure out. 


14 23.132688 192.168.20.130 192.168.20.1 RTCP 86 Receiver Report Source description 

15 23.630139 192.168.20.132 192.168.20.130 SIP/SDP 1079 Request: INVITE sip:1111@192.168.20.130 | 
16 23.631114 192.168.20.130 192.168.20.132 SIP 605 Status: 401 Unauthorized | 

17 23.633029 192.168.20.132 192.168.20.130 SIP 420 Request: ACK sip:1111@192.168.20.130 | 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
> User Datagram Protocol, Src Port: 63214, Dst Port: 5060 

Session Initiation Protocol (INVITE) 
b Request-Line: INVITE sip:1111@192.168.20.130 SIP/2.0 

Message Header 

Message Body 

4 Session Description Protocol 

Session Description Protocol Version (v): 6 
» Owner/Creator, Session Id (ο): - 3730467468 3730467468 IN IP4 192.168.20.132 


Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
> Time Description, active time (t): 0 0 
> Session Attribute (a): X-nat:0 
Media Description, name and address (m): audio 4004 RTP/AVP 123 8 0 101 


Media Ba audio 


Media Format: DynamicRTP-Type-123 
Media Format: ITU-T G.711 PCMA 
Media Format: ITU-T G.711 PCMU 
Media Format: DynamicRTP-Type-101 
> Connection Information (c): IN IPA 192.168.20.132 
Bandwidth Information (b): TIAS:64000 
> Media Attribute (a): rtcp:4005 IN IP4 192.168.20.132 


Undecoded RTP Traffic 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


«πΘ 1 ΒΘ α «555 8|| 
A Apply a display filter ... <Ctrl-/> 


Time Source inati | Length Ta Info 
661 23.884012 192.168.20.130 .168.20.132 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 .168.20.130 214 4000 > 17430 Len=172 
663 23.903302 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172. 
664 23.904066 192.168.20.1 .168.20.130 214 4000 > 16374 Len=172 
665 23.904167 192.168.20.130 .168.20.132 214 17430 > 4000 Len=172 
666 23.923545 192.168.20.132 .168.20.130 214 4000 > 17430 Len=172 
667 23.923824 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172 
668 23.924438 192.168.20.1 .168.20.130 214 4000 > 16374 Len=172 
669 23.924589 192.168.20.130 .168.20.132 214 17430 + 4000 Len=172 
670 23.943786 192.168.20.132 .168.20.130 214 4000 > 17430 Len=172 
671 23.944063 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


Data (172 bytes) 
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Decode As 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
ARNAR 4: 35:5 Φ[-]Ξ!“ “8 Ξ 


Apply a display filter ... <Ctrl-/> 


Time Source Destination Protocol Length Ta Info 
661 23.884012 192.168.20.130 192.168.20.132 UDP 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 192.168.20 124 mp 014. ABBA. 17420 !^nz172 
663 23.903302 192.168.20.130 192.168.208 Mark/Unmark Packet Ctrl+M n=172 
664 23.904066 192.168.20.1 192.168.26 Ignore/Unignore Packet Ctrl+D n=172 
665 23.904167 192.168.20.130 192.168.26 Set/Unset Time Reference Ctrl+T n=172 
666 23.923545 192.168.208.132 192.168.26 Time Shift... CtrleShifteT  In=172 
667 23.923824 192.168.20.130 192.168.28 RS PO RS Ctrl+Alt+C n=172 
668 23.924438 192.168.20.1 192.168.28 n=172 
669 23.924589 192.168.20.130 192.168.28 Edit Resolved Name n=172 
670 23.943786 192.168.20.132 192.168.28 n=172 
671 23.944063 192.168.20.130 192.168.28 Apply as Filter n=172 
Prepare a Filter 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: V 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.16 Colorize Conversation 
User Datagram Protocol, Src Port: 4000, Dst Port: 17430 SCTP 
Data (172 bytes) Follow 


Conversation Filter 


Copy 


0000 00 Oc 29 ab bi 84 00 Oc 29 6f 87 dë 08 00 45 00 
0010 $00 c8 5b de 08 ee 80 11 00 00 cO a8 14 84 cO a8  ..[.... Show Packet in New Window 


asa A 


A AL A 
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Decode As RTP 


Wireshark : Decode As... 
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RTP Traffic 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A m 9i ο Hz 9 $ LI = QQQ E 
Expression. + torrent clea 


Source Destination Protocol Length Ta Info 

653 .843404 192.168.20. 192.168.20. 214 PT=ITU-T 
654 «862647 192.168.20. 192.168.26. 214 PT=ITU-T 
655 . 863368 192.168.20. 192.168.26. 214 PT=ITU-T 
656 .863618 192.168.20. 192.168.20. 214 PT=ITU-T 
657 .863759 192.168.20. 192.168.20. 214 PT-ITU-T 
658 «882829 192.168.20. 192.168.26. 214 PT=ITU-T 
659 .883135 192.168.20. 192.168.26. 214 PT=ITU-T 6.711 PCMU, SSRC=0x5B7C483D, Seq-10393, Time=21760 
660 . 883902 192.168.26. 192.168.26. 214 PT=ITU-T G.711 PCMU, SSRC=0x294823, Seq=14718, Time=21760 

661 . 884012 192.168.20. 192.168.20. 214 PT=ITU-T G.711 PCMU, SSRC=0x47A214A7, Seq=26412, Time=21760 
662 . 903032 192.168.20. 192.168.20. 214 PT-ITU-T 6.711 PCMU, SSRC=0x32D417E6, Seq=29495, Time=21920 
663 «903302 192.168.20. 192.168.20.1 214 PT=ITU-T G.711 PCMU, SSRC=0x5B7C483D, Seq=10394, Time=21920 


.711 PCMU, SSRC=0x47A214A7, Seq=26410, Time=21440 
«711 PCMU, SSRC-0x32D417E6, Seq-29493, Time=21600 
.711 PCMU, SSRC=0x5B7C483D, Seq-10392, Time-21600 
.711 PCMU, SSRC=0x294823, Seq-14717, Time-21600 

.711 PCMU, SSRC=0x47A214A7, Seq-26411, Time-21600 
.711 PCMU, SSRC=0x32D417E6, Seq=29494, Time=21760 


ο GD Oo Go GD OG Go CG 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware 80:01:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 17430 

Real-Time Transport Protocol 
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Checking RTP Streams 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Wireless Tools Help 


A m © i XG QA < ο = + + VolP Calls 


ANSI oo ë) Expression... + torrent de 


GSM F 
Time Source Length Ta Info 


IAX2 Stream Analysis 
23.843404 192.168.20. 214  PT=ITU-T 
23.862647 192.168.20. mem 214  PT-ITU-T 
23.863368 192.168.20. LTE 214  PT-ITU-T 
23.863618 192.168.20. MTP3 214  PT-ITU-T 
23.863759 192.168.260. Osmux 214  PT=ITU-T 
23.882829 192.168.20. 
23.883135 192.168.20. 
23.883902 192.168.20. 
23.884012 192.168. 20. 
23.903032 192.168.20. 
23.903302 192.168.20. UCP Messages 


H.225 E 
Frame 662: 214 bytes on wire (1712 bits), 214 
SIP Flows 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f 1 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.1 SIP Statistics 

User Datagram Protocol, Src Port: 4000, Dst Po WAP-WSP Packet Counter 
Real-Time Transport Protocol 


«711 PCMU, SSRC=0x47A214A7, Seq-26410, Time-21440 
.711 PCMU, SSRC=0x32D417E6, Seq=29493, Time=21600 
.711 PCMU, SSRC=0x5B7C483D, Seq-10392, Time=21600 
.711 PCMU, SSRC=0x294823, Seq-14717, Time-21600 

.711 PCMU, SSRC-0x47A214A7, Seq-26411, Time-21600 
.711 PCMU, SSRC-0x32D417E6, Seq-29494, Time-21760 
.711 PCMU, SSRC=0x5B7C483D, Seq=10393, Time=21760 
.711 PCMU, SSRC=0x294823, Seq=14718, Time=21760 

«711 PCMU, SSRC=0x47A214A7, Seq-26412, Time=21760 
.711 PCMU, SSRC-0x32D417E6, Seq-29495, Time=21920 
.711 PCMU, SSRC-0x5B7C483D, Seq-10394, Time-21920 


RTSP 
SCIP 
SMPP Operations | 


00000000000 
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Analysing RTP Streams 


192.168.20.132:4000 — 
192.168.20.130:17430 


Forward 


SSRC 0x32d417e6 

Max Delta 23.37 ms @ 989 
Max Jitter 1.49 ms 

Mean Jitter 0.87 ms 

Max Skew 40.44 ms 

RTP Packets 529 

Expected 529 

Lost 0 (0.00 %) 

Seq Errs 0 

Start at 21.201381 s @ 108 
Duration 10.525 

Clock Drift -1030 ms 

Freq Drift — 7217 Hz (-9.79 96) 
Reverse 
SSRC 0x47a214a7 

Max Delta 24.31 ms @ 180 
Max Jitter 1.32 ms 

Mean Jitter 0.77 ms 

Max Skew 30.31 ms 

RTP Packets 524 

Expected 524 

Lost 0 (0.00 96) 

Seq Errs 0 

Start at 21.269697 s O 125 
Duration 10.445 

Clock Drift -1053 ms 

Freq Drift 


Forward to reverse 
start diff 0.068316 s O 17 
2 streams found. 


Forward | Reverse | Graph 


7193 Hz (-10.09 %) | 


2251 
2243 
2239 
2235 
2231 
2227 
2223 
2220 
2215 
2211 
2207 
2203 
2199 
2195 
2192 
2189 
2185 
2181 
2177 
2173 
2169 
2165 
2161 
2157 
2153 
2148 
2144 
2138 


29887 
29886 
29885 
29884 
29883 
29882 
29881 
29880 
29879 
29878 
29877 
29876 
29875 
29874 
29873 
29872 
29871 
29870 
29869 
29868 
29867 
29866 
29865 
29864 
29863 
29862 
29861 
29860 


19.69 
20.15 
19.34 
20.26 
20.45 
21.64 
20.32 
20.62 
19.74 
20.82 
20.61 
19.69 
21.34 
19.44 
10.54 
19.78 
20.10 
21.17 
19.93 
19.89 
19.92 
21.24 
19.81 
20.05 
19.65 
20.66 
19.06 
18.90 


| leket Sequence Delta (ms) Jitter (ms) 


0.80 
0.84 
0.88 
0.90 
0.94 
0.97 
0.93 
0.97 
0.99 
1.04 
1.06 
1.09 
1.14 
132 
1.16 
0.61 
0.63 
0.67 
0.64 
0.67 
0.71 
0.75 
0.72 
0.76 
0.81 
0.84 
0.85 
0.84 


Skew Bandwidth Marker 
35.78 81.60 
35.47 81.60 
35.63 81.60 
34.96 81.60 
35.22 81.60 
35.67 81.60 
37.30 81.60 
37.62 81.60 
38.25 81.60 
37.99 81.60 
38.81 81.60 
39.42 81.60 
39.11 81.60 
40.44 81.60 
39.89 81.60 
30.43 80.00 
30.21 80.00 
30.31 80.00 
31.48 80.00 
31.41 80.00 
31.30 80.00 
31.22 80.00 
32.46 80.00 
32.28 80.00 
32.33 80.00 
31.98 80.00 
32.64 80.00 
31.70 80.00 


Status 


ES 


LUCUS EURO wo S E s bh XE EIE S SS 
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Playing RTP Streams 


Wireshark - RTP Player 


Lë AN. | Hmmm 


22.5 24 25.5 27 28.5 30 


Source Address Source Port Destination Address Destination Port SSRC Setup Frame Packets Time Span (5) Sample Rate (Hz) Payloads 


192.168.20.1 4000 192.168.20.130 16374 0x00294823 4294967295 528 21.2 - 31.7 (10.5) 8000 g/11U 
192.168.20.130 16374 192.168.20.1 4000 Ox5b7c483d 4294967295 524 21.3 - 31.7 (10.4) 8000 g711U 


> Di] Output Device: Speakers (Realtek High Definition Audio) τ 


Jitter Buffer: | 50 H Playback Timing: Jitter Buffer [ | Time of Day 


©PentesterAcademy.com 


Possible Configurations 


* “SIF + RIP 


e SIP over TLS + RTP 


* SIP + SKIP 


e SIP over TLS + SRTP 
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TLS key exchange methods 


TLS uses symmetric ciphers (i.e. AES, Blowfish) to encrypt the data 
Two options under realistic approach 


— DHE (Diffie Hellman Key Exchange) 
— RSA (Asymmetric encryption) 
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Diffie Hellman Exchange 


Assumption 


Common paint 


* Attacker even after seeing the exchanged colours can't 
guess the secret colour. 


*  Attacker knows 
Public transport 
and also ES 


But can't know which colour is added. 


Secret colours 


Public transport 


ο 


(assume that 
mixture 
separation 
is expensive) 


Secret colours 


More on: en.wikipedia.org/wiki/Diffie96E296809693Hellman key exchange 


Common secret 


EE WM EIE 
TENTI 
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RSA (Asymmetric Encryption ) 


Plaintext — O Plaintext 
—— —— 


Sender Recipient 


Different keys are used to 
encrypt and decrypt message 


E e EN © 


ox rra Recipient's 
Public Key Private Key 
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Observations? 


e Can'trecover keys derived with ECDHE/DHE by listening to traffic 


* For RSA, if we can get private key of server, we can decrypt traffic 
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TLS Traffic (SIP over TLS) 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4 m 9 L HR E Q ew τς 4 - o Q Q TE 


No. Time N Source Destination Protocol Length Ta Info 
15 10.172139 192.168.20.132 .168.20.130 TLSv1 253 Client Hello 
18 10.177721 192.168.20.130 .168.20.132  TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, 
19 10.181390 192.168.20.132 .168.20.130  TLSv1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Hands 
20 10.182741 192.168.20.130 .168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
21 10.183127 192.168.20.132 .168.20.130 TLSv1 784 Application Data, Application Data 
22 10.183904 192.168.20.130 .168.20.132  TLSv1 688 Application Data, Application Data 
23 10.184221 192.168.20.132 .168.20.130  TLSV1 1088 Application Data, Application Data 
24 10.187834 192.168.20.130 .168.20.132  TLSv1 656 Application Data, Application Data 
26 10.237912 192.168.20.130 .168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Dat 
27 10.238220 192.168.20.132 .168.20.130  TLSv1 928 Application Data, Application Data 
29 10.277703 192.168.20.132 .168.20.130 TLSv1 512 Application Data, Application Data 


Frame 15: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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Diffie Hellman Exchange 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
TO WH LETTRE fe 1: = oe e EE 


+ torrent —ceanup own ssid 


Time Source Destination Protocol Length Ta Info 
10.172139 192.168.20.132 192.168.20.130 TLSv1 253 Client Hello 
10.177721 192.168.20.130 192.168.20.132 TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell... 
10.181390 192.168.20.132 192.168.20.130  TLSv1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
10.182741 192.168.20.130 192.168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 

10.183127 192.168.20.132 192.168.20.130  TLSv1 784 Application Data, Application Data 

10.183904 192.168.20.130 192.168.20.132 TLSv1 688 Application Data, Application Data 

10.184221 192.168.20.132 192.168.20.130  TLSvi 1088 Application Data, Application Data 

10.187834 192.168.20.130 192.168.20.132 TLSv1 656 Application Data, Application Data 

10.237912 192.168.20.130 192.168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Data 


Frame 19: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 200, Ack: 1193, Len: 146 
Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 70 
Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 66 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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A 


File Edit View 
A = © | 


Go 


Undecoded SRTP Traffic 


Capture 


Analyze 


Q € » 


Statistics 


Y 


Telephony 


= = 


aaa ΤῈ 


Normal Call two parties.pcap 


Wireless Tools 


Help 


714 
715 
716 
717 
718 
719 
720 
721 
722 
723 


.046522 
.049044 
.049234 
. 066609 
.067006 
.079392 
.079609 
.086695 
.087313 
.089180 


Source 


192. 
192. 
192. 
192. 
192. 
192. 
292. 
192. 
192. 
192. 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20.1 


Destination 


192. 
192. 
192. 
192. 
192. 
192. 
192. 
192. 
192. 
του, 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


Protocol 


Length 
224 
224 
224 
224 
224 


Ta Info 
13288 > 4000 
4000 > 13288 
13408 > 4000 
4000 > 13408 
13288 > 4000 
4000 > 13288 
13408 > 4000 
4000 > 13408 
13288 > 4000 
4000 > 13288 


Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 


Frame 719: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware_c0:00:08 (00:50:56:c0:00:08), Dst: Vmware_ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 13288 
Data (182 bytes) 
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Decode As 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
4πσθ ΠΒ ES ERA ᾱ 8 8 E 


e Apply a display filter ... <Ctrl-/> 


No. Time Source inati Protocol Length Ta Info 
714 103.046522 192.168.20.130 UDP 224 13288 > 4000 | en=182 
715 103.049044 192.168.20.1 .168. Mark/Unmark Packet Ctrl+M en=182 
716 103.049234 192.168.208.130 Ignore/Unignore Packet Ctrl+D en=182 
717 103.066609 192.168.260.132 192.168.2 Set/Unset Time Reference CHAT en=182 
718 103.067006 192.168.20.130 192.168.2 Time Shift... Ctrl+Shift+T en=182 
719 103.079392 192.168.20.1 192.168.2 en=182 

Packet Comment... Ctrl+Alt+C 

720 103.079609 192.168.20.130 192.168.2 en=182 

721 103.086695 192.168.20.132 192.168.2 Edit Resolved Name en=182 

722 103.087313 192.168.20.130 192.168.2 en=182 

723 103.089180 192.168.20.1 ἢ Apply as Filter en=182 


Frame 714: 224 bytes on wire (1792 bits), 224 bytes captured Prepare a Filter 
Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff:65:9b), Dst: Conversation Filter 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.1 Colorize Conversation 
User Datagram Protocol, Src Port: 13288, Dst Port: 4000 SCTP 


Data (182 bytes) Follow 


Copy 


Show Packet in New Window 


Decode As RTP 


4 Wireshark - Decode As... 


Field Value 0 Default Current 
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Checking RTP Streams 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Wireless Tools Help 


A N © E * ο à 6 Ὁ = Ss VolP Calls 


no EE OS 
GSM 


ae IAX2 Stream Analysis M La Laus 
.005510 192.168.20. 224  PT-ITU-T 
.018094 192.168.20. ISUP Messages 224  PT=ITU-T 
.018467 192.168.209. LTE 224  PT=ITU-T 
.025686 192.168.20. MTP3 224  PT=ITU-T 
. 026046 192.168.20. Osmux 224  PT=ITU-T 
.038299 192.168.20. 
.038516 192.168.20. RTP 
.045972 192.168.290. SEN 
. 046522 192.168.20. 224  PT-ITU-T 


. 049044 192.168.20. SMPP Operations 224  PT=ITU-T 


= = UCP Messages 
Frame 714: 224 bytes on wire (1792 bits), 224 T 


Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.1 SIP Flows 

User Datagram Protocol, Src Port: 13288, Dst P SIP Statistics 

Real-Time Transport Protocol WAP-WSP Packet Counter 


.711 PCMU, SSRC=0x3EFBC86D, Seq-27905, Time-7040 
.711 PCMU, SSRC=0x4DCD5225, Seq-16871, Time-7040 
.711 PCMU, SSRC=0x6A41E0F3, Seq=385, Time=7040 
«711 PCMU, SSRC=0x294823, Seq=15098, Time=7200 
.711 PCMU, SSRC=0x3EFBC86D, Seq-27906, Time=7200 
«711 PCMU, SSRC=0x4DCD5225, Seq=16872, Time=7200 
«711 PCMU, SSRC=0x6A41E0F3, Seq=386, Time=7200 
«711 PCMU, SSRC=0x294823, Seq-15099, Time=7360 
.711 PCMU, SSRC=0x3EFBC86D, Seq-27907, Time-7360 
.711 PCMU, SSRC=0x4DCD5225, Seq=16873, Time-7360 


RTP Streams r 


D Gu GG OO OO OO O A O 
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Analysing RTP Streams 


192.168.20.1:4000 


192.168.20.130:13288 — | Forward «| eres Graph | 


^ 


[Packet Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 
| 525 27862 0.00 0.00 0.00 1.68 Y 
SSRC Oxefbc86d 527 27863 3.53 103 1647 3.36 
Max Delta 40.57 ms @ 540 
Max Jitter 1.52 ms 27866 20.60 0.98 15.30 6.72 
Mean Jitter 0.88 ms 27867 19.99 091 1531 840 
REN TOERUS 27868 20.83 091 1449 10.08 
RTP Packets 615 
Expected 616 27869 19.74 0.87 14.74 11.76 
Lost 1 (0.16 96) 27870 20.25 0.83 1449 1344 
SeqErrs 1 27871 20.00 0.78 1449 15.12 
Startat 1021719335 @ 525 | 27872 10.97 1.29 23.51 16.80 
Duration 12255 27873 19.61 124 2391 18.48 
ne etal ος 27874 20.49 1.19 2342 20.16 
Freq Drift 3451 Hz (-56.86 96) 

27875 19.54 1.14 23.88 21.84 
Reverse 27876 20.37 1.10 23.50 23.52 
27877 1971 105 23.79 25.20 
SSRC Ox4dcd5225 27878 20.37 1.00 23.42 26.88 
Max Delta 30.43 ms @ 1370 27879 19.86 0.95 23.56 28.56 
ο i qar e babs 27880 20.49 0.92 23.06 30.24 
Mean Jitter 0.90 ms 
κ Lo 27881 20.59 0.90 22.48 31.92 
RTP Packets 617 27882 20.41 0.87 22.07 33.60 
Expected 617 27883 20.74 0.86 21.32 35.28 
Lost 0 (0.00 %) 27884 19.93 0.81 21.39 36.96 
Sen Ems — 0 27885 20.33 0.78 21.06 38.64 
ln nn OUE 27886 20.18 0.74 20.88 40.32 


Duration 12.295 
Clock Drift -6961 ms 27887 21.32 0.78 19.56 42.00 


Freq Drift 3468 Hz (-56.64 96) 27888 20.63 0.77 18.93 43.68 
27889 19.52 0.75 19.42 45.36 
Forward to reverse 27890 20.61 0.74 18.81 47.04 
start diff -0.014346 s @ -3 
2 streams found. 


Forward 


SS RAN SN NS ee SN NS SOS SS OR, RN 
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Playing RTP Steams 


Wireshark : RTP Player 


o Jitter Drops 


ο Wrong Timestamps 


À Inserted Silence 


112 114 


106 108 110 


SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


0x00294823 4294967295 616 102 - 114 (12.3) 8000 g/11U 
Ox6a41e0f3 4294967295 616 102 - 114 (12.3) 8000 g711U 


Source Address Source Port Destination Address Destination Port 


192.168.20.132 4000 192.168.20.130 13408 
192.168.20.130 13408 192.168.20.132 4000 


> B Output Device: Speakers (Realtek High Definition Audio) ~ 


Jitter Buffer: | 50 = 1 Playback Timing: Jitter Buffer |_| Time of Day 
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TLS Traffic (SIP over TLS) 


4 Call_to_VoiceMail.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A N © i Χ © q 6 9 i Sch o 6 QE 


Expression... + torrent deanup own ssid clean 


T Source Destination Protocol Length Ta Info 

3.025978 192.168.20. 192.168.20.130 TLSv1 253 Client Hello 

3.031243 192.168.20. 192.168.208.132  TLSv1 19309 Server Hello, Certificate, Certificate Request, Server Hello Done 
3.032252 192.168.20. 192.168.20.130  TLSv1 264 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
3.033610 192.168.20. 192.168.20.132 TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
3.035114 192.168.20. 192.168.20.130  TLSv1 784 Application Data, Application Data 

3.036454 192.168.20. 192.168.20.132 TLSv1 688 Application Data, Application Data 

3.036892 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

3.039477 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data 

3.089799 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data, Application Data, Application Data 
3.090170 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

3.130640 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

10.968782 192.168.20. 192.168.20.130 TLSv1 Application Data, Application Data 

10.970517 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data 

10.970920 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

10.971375 192.168.20. 192.168.20.130 TLSv1 Application Data, Application Data 

10.973943 192.168.20. 192.168.20.132 TLSv1 Application Data, Application Data 

11.075535 192.168.20. 192.168.280.132  TLSv1 Application Data, Application Data 


Frame 9: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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RSA based key exchange 


4 Call_to_VoiceMail.pcap 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
A m 9i SC qe» "KA == eo € 


Time o Destination Protocol 

9 3.025978 = 270: .168.20. TLSv1 
«631243 - .20. .168.20. TLSv1 
«032252 : .20. .168.20. TLSv1 
.033610 3 .20. .168.20. TLSv1 
.035114 Ξ «20. «168.26. TLSv1 

. 036454 Ξ «20. «168.26. TLSv1 

. 036892 = 28. «168.26. TLSv1 


Frame 12: 264 bytes on wire (2112 bits), 264 bytes captured (2112 bits) 


Length 
253 
1030 
264 
304 
784 
688 
1088 


Expression... + torrent deanup own ssid cleanu 


Ta Info 
Client Hello 
Server Hello, Certificate, Certificate Request, Server Hello Done 
Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
Application Data, Application Data 
Application Data, Application Data 
Application Data, Application Data 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 


Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seq: 200, Ack: 977, Len: 210 


Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 134 
Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 130 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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Decrypting TLS traffic 


We can decrypt with private key installed on Asterisk One 


* Keys and certificate location on Asterisk One: /etc/asterisk/keys 


* We have to get the default.key from the server 


pap À asterisk asterisk 215 Mar 19 03:59 ca.cfg 
-rw-rw-r--. 1 asterisk asterisk 1789 Mar 19 03:59 ca.crt 


-rw-rw-r--. 1 asterisk asterisk 3311 Mar 19 03:59 ca.ke 


rwxrwxr-x. 2 asterisk asterisk 4096 Mar 19 03:59 inte 


OPentesterAcademy.com 


Edit > Preferences > Protocol > SSL 


SMTP Secure Sockets Layer 
SMUX 


SNA 
SNMP SSL debug file 


RSA keys list 


Snort | 
Socks 
SoulSeek 
SoupBinTCP [ | Reassemble SSL Application Data spanning multiple ER 
gc Message Authentication Code (MAC), ignore "mac failed” 
Spice 
SPRT 
SRVLOC (Pre)-Master-Secret log filename 
SSCOP | 
SSDP 
SSH 


«^| Reassemble SSL records spanning multiple TCP segments 


Pre-Shared-Key | 


STANAG 506 
STANAG 506 
StarTeam 
STP 

STT 

STUN 

SUA 

SV 

SYNC 
SYNCHROPH 
Synerav 


>] 
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Adding Asterisk default private key 
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4 


File 


4 


Edit 
E O 4 


View Go 


Time 
3.039477 
3.089799 
3.090170 
3.130640 
10.968782 
10.970517 
10.970920 
10.971375 
10.973943 
11.075535 
11.077488 
11.117569 
11.118325 
33.695049 
33.695785 


17 
19 
20 
22 
28 
30 
31 
32 
34 
36 
S9 
48 
50 
2302 
2303 


Capture 


* (6 


= x wi \ 


No. 


Q 


E 


Analyze 


+ = 


Statistics 


Source 


192: 
192. 
192. 
192; 
192. 
192. 
192- 
192. 
192. 
192 
192. 
192. 
192. 
192. 
192: 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


t 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


* 


130 
13e 
132 
132 
132 
130 
132 
132 
130 
130 
132 
132 
130 
130 
132 


Decrypted SIP traffic 


Telephony 


Wireless 


Destination 


92. 

92. 
192. 
192. 
192. 
192. 
1923 
192. 
192. 
1923 
192. 
192. 
192. 
192. 
192. 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168.290.130 
168.290.130 
168.280.132 
168.20.132 
168.20.130 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


132 
132 
130 
130 
130 
132 
130 
130 
132 
132 


Call to VoiceMail.pcap 


Tools Help 


Protocol 
SIP 

SIP 

SIP 

SIP 
SIP/SDP 
SIP 

SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP/SDP 
SIP 

SIP 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware_ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware 6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 


Secure Sockets Layer 


Session Initiation Protocol (200) 


Length 
656 
1370 
928 
512 
1584 
688 
528 
1888 
496 
1184 
512 
1120 
1152 
592 
496 


Ta Info 
Status: 


Request: 


Status: 
Status: 


Request: 


Status: 


Request: 
Request: 


Status: 
Status: 


Request: 
Request: 


Status: 


Request: 


Status: 
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200 OK (1 binding) | 

OPTIONS sip:11110192.168.20.132:49481;transport=TLS;ob | Requ... 
200 OK | 

208 OK | 

INVITE sip:2222@192.168.20.130;transport=tls | 
401 Unauthorized | 

ACK sip:2222@192.168.20.130;transport=tls | 

INVITE sip:22220192.168.20.130;transport=tls | 

100 Trying | 

200 OK | 

ACK sip:192.168.20.130:5061;transport=TLS | 

UPDATE sip:192.168.20.130:5061;transport=TLS | 

208 OK | 

BYE sip:11110192.168.20.132:49481;transport=TLS;ob | 
200 OK | 


A 


SRTP key in SIP/SDP decrypted packet 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
Γκ ΝΙΝ ER LEES EECHER | 
CIE DES ~) presion. | + tre dl 


No. Time Source Destination Protocol Length Ta Info 
28 10.968782 192.168.20.132 192.168.20.130  SIP/SDP 1584 Request: INVITE sip:2222@192.168.20.130;transport=tls | 
32 10.971375 192.168.20.132 192.168.20.130  SIP/SDP 1888 Request: INVITE sip:22220192.168.20.130;transport=tls | 
36 11.075535 192.168.20.130 192.168.20.132  SIP/SDP 1184 Status: 200 OK | 
48 11.117569 | 192.168.20.132 192.168.20.130  SIP/SDP 1120 Request: UPDATE sip:192.168.20.130:5061;transport-TLS | 
50 11.118325. 192.168.20.132  SIP/SDP 1152 Status: 200 OK | 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware 6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 
Secure Sockets Layer 
Session Initiation Protocol (200) 
b Status-Line: SIP/2.0 200 OK 
> Message Header 
Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): e 
Owner/Creator, Session Id (0): - 3730743973 3730743976 IN IP4 192.168.20.130 
Session Name (s): Asterisk 
Connection Information (c): IN IP4 192.168.20.130 
Time Description, active time (t): 0 0 


Media De D lon ame and add 


Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
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Open Source Tools for Decrypting SRTP 


e SRTP Decrypt 


* Libsrtp 
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SRTP Decrypt 


Tool to decipher SRTP packets 


Takes symmetric key to decrypt the SRTP traffic 


Output decrypted packets in form of hexdump 


Wireshark can reconstruct RTP packets from the hexdump 
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SRTP Decrypt 


e GitHub: 


GitHub - gteissier/srtp-c x x 


€ C 4 GitHub, Inc. [US] | https //github.com/gteissier/srtp-decrypt 


CH Features Business Explore Marketplace  Pricing This repository Sign in ©: Sign up 


W Star 17 Y Fork | 12 


<> Code Pull requests 1 Projects 0 Insights 


Deciphers SRTP packets 


Xp 10 commits D 1 branch © 0 releases 42 1 contributor 


Branch: master y Find file Clone or download + 


gteissier Increment offset using words, not bytes Latest commit ac50693 on Jan 18, 2016 


nitial commit 


nitial import 


nitial import 
Better default offset and handle correctly streams starting with seq 


Increment offset 


SRTP Decrypt: Pre-Installation 


* Installing libgcrypt 


pentester@PentesterAcademy:-/work/srtp-decrypt$ sudo apt-get install libgcrypt-dev 
sudo: unable to resolve host PentesterAcademy 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
Note, selecting 'libgcrypt20-dev' instead of 'libgcrypt-dev' 
The following additional packages will be installed: 

libgcrypt20 libgpg-error-dev 
d packages: 

Sia 


: unable to resolve host PentesterAcademy 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
The following additional packages will be installed: 
libpcap0.8-dev 
The following NEW packages will be installed: 
libpcap-dev libpcap0.8-dev 
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SRTP Decrypt: Installation 


e Cloning 


root@PentesterAcademy:/work# git clone https://github.com/gteissier/srtp-decrypt.git 


Cloning into 'srtp-decrypt'... 
remote: Counting objects: 35, done. 
remote: Total 35 (delta 0), reused O (delta 0), pack-reused 35 


Unpacking objects: 100% (35/35), done. 


* Compiling 


root@PentesterAcademy:/work/srtp-decrypt# make 
ες -g -Os -Wall -C -ο srtp.o srtp.c 


cc -g -0s -Wall -C -ο srtp-decrypt.o srtp-decrypt.c 
cc -0 srtp-decrypt srtp-decrypt.o srtp.o -lpcap -lgcrypt 
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SRTP Decrypt: Ready 


root@PentesterAcademy:/work/srtp-decrypt# Is -1 


1 
1 
1 
1 
1 
1 
1 
1 
1 


root 
root 
root 
root 
root 
root 
root 
root 
root 


root 
root 
root 
root 
root 
root 
root 
root 
root 


273 
2853144 
945 
22057 
54112 
3917 
26464 
2720 
52096 


Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 


17 
17 
17 
17 
17 
17 
17 
17 
17 


05: 
05: 
B5: 
05: 
05: 
05: 
05: 
05: 
Bo: 


36 
36 
36 
36 
40 
36 
40 
36 
40 
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Makefile 
marseillaise-srtp.pcap 
README. md 

srtp.c 

srtp-decrypt 
srtp-decrypt.c 
srtp-decrypt.o 

srtp.h 

srtp.o 


SRTP Decrypt: Copying SRTP key 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


"a FK JP WEB NCC ev ae Ha oa ge 
Ll  - ου μι mee 
— Expand All Ctrl+Right 


No. Time Source 


Expression... = torrent cleanupo 


Length Tag Info 


Collapse All Ctrl+Left 
| 188 29.319111 192.168 1051 Status: 200 OK | ` ———— 
| 2312 39.694387 192.168 Apply as Column 461 Request: BYE sip:asterisk@192.168.20.130:5060 | 
| 2313 39.701755 192.168 446 Status: 200 OK | 
| 2317 39.709060 192.168 Apply as Filter + 487 Request: BYE sip:11110192.168.20.132:60850;ob | 
2318 39.709625 192.168 Prepare a Filter b 406 Status: 200 OK | 

Frame 188: 1051 bytes on wire (8408 bit Conversation Filter + 

Ethernet II, Src: Vmware_ff:65:9b (00:8 Colorize with Filter + |29:6f:87:d6) 

Internet Protocol Version 4, Src: 192.1 Follow + 


User Datagram Protocol, Src Port: 5060, 


4 Session Initiation Protocol (200) ΑΙΙ Visible Items Ctrl+Alt+Shift+A 
» Status-Line: SIP/2.0 200 OK Show Packet Bytes... All Visible Selected Tree Items 
a se sa Export Packet Bytes... Ctrl+H Description Ctrl+Alt+Shift+D 
5 y : 8 
4 Session Description Protocol Wiki Protocol Page Field Name ο 
Session Description Protocol Ve Filter Field Reference 
H AS 
më / Crestor, Session Id (o): Protocol Preferences ` Ae Filter Ctrl+Shift+C 
Session Name (s): Asterisk 
Connection Information (c): IN Decode As... Bytes as Hex + ASCII Dump 
Time Description, active time ( Gato Linked Packet 5s Hex Dump 
. Media Description, name and adc { ; B 
Show Linked Packet in New Window i 
Media Attribute (a): crypto:1 οσο en 
Media Attribute (a): rtpmap:@ PCMU/8000 «as a Hex Stream 
> Media Attribute (a): rtpmap:101 telephone-event/8000 “as Raw Binary 
> Media Attribute (a): fmtp:101 0-16 ...as Escaped String 


Media Attribute (a): ptime:20 
Media Attribute (a): maxptime:150 
Media Attribute (a): sendrecv 
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4 


File Edit View Go Capture 


Am TRES 


SRTP Decrypt: UDP Ports 


Analyze Statistics  Telephony 


Normal_Call_two_parties.pcap 


Wireless Tools Help 


$ ÉIS eo ao g 


Time 


196 29.355005 
197 29.372665 
198 29.372952 
199 29.375160 


Source 


192.168.20.130 
192.168.20.1 

192.168.20.130 
192.168.20.132 


Destination Protocol 
SRTP 
SRTP 
SRTP 
SRTP 


192.168.20.1 

192.168.20.130 
192.168.20.132 
192.168.20.130 


+ torrent cleanup own ssid clean 


Info 


PT=ITU-T 6.711 PCMU, SSRC=0x4EFA778B, Seq-4650, Time=320 
PT=ITU-T G.711 PCMU, SSRC-0x399071D5, Seq-25653, Time-640 
PT-ITU-T G.711 PCMU, SSRC-0x60542655, Seq-16570, Time-640 
PT=ITU-T 6.711 PCMU, SSRC=@x15BD2F81, Seq-15577, Time=480 


Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


> User Datagram Protocol, 
. Real-Time Transport Protocol 
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SRTP Decrypt: Decrypting SRTP Traffic 


Command: ./srtp-decrypt -k ukK+RfjSi9/fUFr8zoJu6zdgPw6MGtONhgX4yqwRj < ../ 
Normal Call two parties.pcap > decoded.raw 


98 -k Defined SRTP key (uk+RfjSi9/fUFr8zoJu6bzdaPw6MGtONhgX4yqwRj in this case) 


* Normal Call two parties.pcap 


*  decoded.raw 


Input file 
Output file 


frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 


0 


1 
2 
3 
4 
5 
6 
7 
8 


decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 


failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 


‘Permission 
‘Permission 
‘Permission 
‘Permission 
"Permission 
"Permission 
‘Permission 
‘Permission 
‘Permission 
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root@PentesterAcademy: /work/srtp-decrypt# ./srtp-decrypt -k uK+RfjSi9/fUFr8zoJu6zdqPpw6M 
GtONhgX4yqwRj < ../Normal Call two parties.pcap > decoded. raw 

dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
: decodin 


denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 


SRTP Decrypt: decoded.raw 


1 θ:08.731764 
0000 80 00 64 2e 00 00 00 a0 58 2f 39 Oc 79 7e Te Te 


12 0040 7e 7e ff ff ff fe fe fe fe fe fe fe 


"decoded.raw" 12838 lines --0%-- 
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SRTP Decrypt: Importing Decrypted Content 


The Wireshark Network Analyzer 
View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


Ctrl+O E 7 SË o Q Q TË 


Open Recent 
Merge... 


Close a 


Save Ctrl+S 
Save As... Ctrl+Shift+S ` BNLocaNTempNimport 20180320032643 a04600.pcapng (116 KB) 


File Set Ἀνοίρ triaNSIP+RTP call trace merged.pcap (430 KB) 


voip triaNSIP over TLS+RTP call trace.pcap (516 KB) 
Export Specified Packets... 


Export Packet Dissections 
Export Packet Bytes... Ctrl+H 


Export PDUs to File... d) 
Export SSL Session Keys... a\Local\Temp\import_20180320015530_a09592.pcapng (123 KB) 


\voip_trial\SIP over TLS+SRTP_call_trace.pcap (672 KB) 


Export Objects \voip_trial\SIP+SRTP_call_trace.pcap (535 KB) 


voip_trial\SIP+SRTP_call_trace.pcapng (not found) 
Print... Ctrl+P 


Quit Ctrl+Q a capture filter ... 
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SRTP Decrypt: Importing Decrypted Content 


4 Wireshark - Import From Hex Dump 
Import From 
Offsets: (9) Hexadecimal 
©) Decimal 
() Octal 
(O) None 


Timestamp format: (No format will be applied) 


Direction indication: [ | 
Encapsulation 

Encapsulation Type: Ethernet 

(O) No dummy header 


() Ethernet Ethertype (hex): 
O IPv4 Protocol (dec): 


O) SCTP Tag: 
© SCP (Data) PPI: 


Maximum frame length: 


©PentesterAcademy.com 


SRTP Decrypt: Imported Decrypted UDP Packets 


import 20180320032955 a10724.pcapng 
Edit i Go Capture Analyze Statistics Telephony Wireless Tools Help 


on maso zar SEQAQaar 


Destination Protocol 
0.000000 3 11 1 στο. UDP Len=172 
6.000001 EE 203 3209 UDP | Len=172 
0.000002 4.1.1: 19:22 UDP Len=172 
0.000003 aa 222 UDP Len=172 
0.000004 τι. 2.29 UDP Len=172 
0.000005 33-1. 12:29 UDP Len=172 


0.000006 abesse Le 2225222. UDP Lenz172 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Dst: Receive 00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 


Data (172 bytes) 
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SRTP Decrypt: Decode As 


4 import 20180320032955 a10724.pcapng 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


Υπ ΤΟΣ ΚΑῚ 


e Apply a display filter ... <Ctrl-/> E? ν | Expressid 


No. Destination Protocol Length Tag 


e o 1.1.1.1 Mark/Unmark Packet Ctrl+M 214 ARC 
0.000002 Sala Ignore/Unignore Packet Ctrl+D 214 17786 Len=172 
0.000003 -ᾱ.1. Set/Unset Time Reference Ctrl+T 214 17786 Len=172 
o. 000004 T Time Shift... Ctrl+Shift+T 214 17786 Len=172 
9. 000005 Packet Comment... Ctrl+Alt+C 214 17786 Len=172 


0.000006 EES 214 17786 Len=172 


Frame 1: 214 bytes on wire (1712 bits), 214 byte Edit Resolved Name 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), L 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 
User Datagram Protocol, Src Port: 4000, Dst Port Prepare a Filter 
Data (172 bytes) Conversation Filter 
Colorize Conversation 
SCTP 


Follow 


Apply as Filter 


Copy 


Protocol Preferences + 


Show Packet in New Window 
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SRTP Decrypt: Decode As RTP 


4 Wireshark - Decode As... 


Field Value Type Default Current 


UDP port z Integer, base 10 ICQ RTP 
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SRTP Decrypt: Decoded Packets 


4 import_20180320032955 a10724.pcapng 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4πσθι η Θα αφ EFI 54484 E 


αἱ Apply a display filter ... <Ctrl-/> + torrent  cleanup_ own ssid clean 


Source Destination Protocol 
a boa a kal 2124242. RTP PT-ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16568, Time=320 
“hapa Ze RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16569, Time=480 
τι 1 DM 2A RTP PT-ITU-T G.711 PCMU, SSRC-0x60542655, Seq-16570, Time=640 
el ea ll 2ο 2.2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16571, Time=800 
shpatet el 2.2.2.2 RTP PT-ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16572, Time=960 
shejt en kl Ud RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16573, Time=1120 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Dst: Receive 00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 
User Datagram Protocol, Src Port: 4000, Dst Port: 17786 
Real-Time Transport Protocol 
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SRTP Decrypt: Checking RTP Streams 


4 import 20180320032955 a10724.pcapng 
File Edit View Go Capture Analyze Statistics | Telephony d Wireless Tools Help 
4A m *G LOURO QE» VolP Calls 


Apply a display filter ... <Ctrl-/> m | > -| ines + torent  deanup own ssid — deam 


- : GSM = — 
| ength T 
Time ΙΑΧ2 Stream Analysis ii : gi 7 - T 


ISUP Messages 


[8 


2 0.000001 1.1.1.1 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16568, Time=320 
3 0.000002 1.1.1.1 LTE RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16569, Time=480 
4 0.000003 1.1.1.1 MTP3 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16570, Time=640 
5 0.000004 1:1:1:1 Osmux RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16571, Time-800 
6 06.000005 1.1.1.1 RTP RTP Streams PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16572, Time=960 
7 0.000006 1.1.1.1 RTSP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16573, Time=1120 


Frame 1: 214 bytes on wire (1712 bits), 214 by SCTP 

Ethernet II, Src: Send 00 (20:53:45:4e:44:00), SMPP Operations 
Internet Protocol Version 4, Src: 1.1.1.1, Dst 
User Datagram Protocol, Src Port: 4000, Dst Po 
Real-Time Transport Protocol 


Stream Analysis 


UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 
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SRTP Decrypt: Analysing RTP Streams 


4 Wireshark - RTP Stream Analysis : import 20180320032955 a10724 


1.1.1.1:4000 — 


2.2.2.2:17786 Forward | Reverse | Graph | 


Acket Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 

520 17086 0.00 20.00 10379.48 832.00 
SSRC 0x60542655 519 17085 0.00 20.00 10359.48 830.40 
Max Delta 0.00 ms @ 11 518 17084 0.00 20.00 10339.48 828.80 
Max Jitter 20.00 ms 517 17083 0.00 20.00 10319.48 827.20 
Mean Jitter 19.96 ms 516 17082 0.00 20.00 10299.49 825.60 
ge A 515 17081 0.00 2000 1027949 82400 
RTP Packets 520 
Expected 520 514 17080 0.00 20.00 10259.49 822.40 
Lost 0 (0.00 %) 513 17079 0.00 20.00 10239.49 820.80 
Seq Errs 0 512 17078 0.00 20.00 10219.49 819.20 
Start at 0.000000 s @ 1 511 17077 0.00 20.00 10199.49 817.60 
Duration 0.005 510 17076 0.00 20.00 10179.49 816.00 
E 509 17075 0.00 2000 1015949 814.40 
Freq Drift 160000000 Hz (1999900.00 %) 

508 17074 0.00 20.00 10139.49 812.80 

Reverse. 507 17073 0.00 20.00 10119.49 811.20 
506 17072 0.00 20.00 10099.50 809.60 
SSRC 0x00000000 505 17071 0.00 20.00 10079.50 808.00 
Max Delta 0.00 ms @ 0 504 17070 0.00 20.00 10059.50 806.40 
—€— 503 17069 0.00 2000 1003950 80480 
Mean Jitter 0.00 ms 
Me des μα 502 17068 0.00 20.00 10019.50 803.20 
RTP Packets 0 501 17067 0.00 20.00 9999.50 801.60 
Expected 1 500 17066 0.00 20.00 9979.50 800.00 
Lost 1 (100.00 %) 499 17065 0.00 20.00 9959.50 798.40 
Seq Errs — 0 498 17064 0.00 20.00 9939.50 796.80 
ου ο 497 17063 0.00 20.00 991950 795.20 
Duration 0.00 s 
Clock DAR 0 ins 496 17062 0.00 20.00 9899.50 793.60 
Freq Drift — 1 Hz (0.00 96) 495 17061 0.00 20.00 9879.51 792.00 
494 17060 0.00 20.00 9859.51 790.40 
493 17059 0.00 20.00 9839.51 788.80 


Forward 


S 


SN Se Se Ze Se SË SS Se D ZZ Ss Se ZS "SS Se SS SO SS 


| Close D Play Streams || Help 
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SRTP Decrypt: Playing Decrypted Call 


Wireshark : RTP Player 


o Jitter Drops 
o Wrong Timestamps 


^ Inserted Silence 


-0.069 -0.066 -0.063 -0.06 -0.057 -0.054 -0.051 


Source Address Source Port Destination Address Destination Port SSRC Setup Frame Packets Time Span (5) Sample Rate (Hz) Payloads 
1.1.1.1 4000 2.2.2.2 17786 0x60542655 4294967295 520 0 - 0.000519 (0.000519) 8000 g/11U 


> | Bm Output Device: Speakers (Realtek High Definition Audio) τ 


Jitter Buffer: 50 + Playback Timing: Jitter Buffer [ | Time of Day 
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Libsrtp 


* Implementation of the Secure Real-time Transport Protocol (SRTP) 


* Can decipher SRTP packets 
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Libsrtp 


e GitHub: 


D <A DIS 


€ C 4 GitHub, Inc. [US] | https://github.com/cisco/libsrtp 


CH del "des Business Explore Marketplace  Pricing This repository Sign in ©: Sign up 


/ O Watch 75 W Star 386 Y Fork 198 


<> Code Issues 12 Pull requests 2 Insights 


Library for SRTP (Secure Realtime Transport Protocol) 


& 1,039 commits 1 8 branches O 16 releases 22 48 contributors 


Branch: master v Find file Clone or download + 


pabuhler Merge pull requi rom pa add to-global-variables — — atest commit 1447dfb 13 days ago 


format in sr 


railer length 


Libsrtp: Installation 


e Cloning 


root@PentesterAcademy:/work# git clone https://github.com/cisco/libsrtp.git 
Cloning into 'libsrtp'... 

remote: Counting objects: 6495, done. 

remote: Total 6495 (delta 0), reused O (delta 0), pack-reused 6495 


Receiving objects: 100% (6495/6495), 5.28 MiB | 126.00 KiB/s, done. 
Resolving deltas: 100% (4442/4442), done. 
root@PentesterAcademy:/work# cd libsrtp/ 
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Libsrtp: Installation 


* Configure 


root@PentesterAcademy:/work/libsrtp# ./configure 
for gcc... gcc 
whether the C compiler works... yes 
for C compiler default output file name... a.out 
for suffix of executables... 
whether we are cross compiling... no 
for suffix of object files... o 
whether we are using the GNU C compiler... yes 
whether gcc accepts -g... yes 
for gcc option to accept ISO C89... none needed 
how to run the C preprocessor... gcc -E 
for ar... ar 
the archiver (ar) interface... ar 
for ranlib... ranlib 
for a BSD-compatible install... /usr/bin/install -c 
for a sed that does not truncate output... /bin/sed 
for that handles long Lines and -e... 
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Libsrtp: Installation 


e Make 


root@PentesterAcademy:/work/libsrtp# make 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c srtp/srtp.c -o srtp/srtp.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c srtp/ekt.c -o srtp/ekt.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/cipher.c -o crypto/cipher/cipher.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll- loops -c crypto/cipher/null cipher.c -o crypto/cipher/null cipher.o 
gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes icm.c -o crypto/cipher/aes icm.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes.c -o crypto/cipher/aes.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/null auth.c -o crypto/hash/null auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/auth.c -o crypto/hash/auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/hmac.c -o crypto/hash/hmac.o 
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Libsrtp: Ready 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -h 
Using libsrtp2 2.2.0-pre [0x2020000] 
./rtp decoder [-d <debug>]* [[-k][-b] <key> [-a][-e]] 
./rtp decoder -1 
use message authentication 
«key size» use encryption (use 128 or 256 for key size) 
Use AES-GCM mode (must be used with -e) 
«tag size» Tag size to use (in GCM mode use 8 or 16) 
«key» sets the srtp master key given in hexadecimal 
«key» sets the srtp master key given in base64 
list debug modules 
"«pcap filter>" to filter only the desired SRTP packets 
«debug» turn on debugging for module «debug» 
"«srtp-crypto-suite»" to set both key and tag size based 
on RFC4568-style crypto suite specification 


©PentesterAcademy.com 


Libsrtp: SRTP key 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
A m © | οσα «5 


πμ REI Ses + 


Time Source Destination Protocol Length Ta Info 
128 27.128753 192.168.20.132 192.168.20.130 SIP/SDP 278 Request: INVITE sip:22220192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:2222(0192.168.20.1:60168;0b | 
173 29.293203 192.168.20.130 SIP/SDP 1101 Status: 200 OK | 
178 29.314263 192.168.20.130 192.168.20.132 SIP/SDP 1131 Status: 200 OK | 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): 0 
Owner/Creator, Session Id (0): - 3730471310 3730471311 IN IP4 192.168.5. 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 0 
Session Attribute (a): X-nat:0 
Media Description, name and address (m): audio 4000 RTP/SAVP @ 101 
Connection Information (c): IN IP4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): rtcp:4001 IN IP4 192.168.5.114 
Media Attribute (a): sendrecv 
Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
Media Attribute (a): fmtp:101 0-16 
Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 
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Libsrtp: Copying SRTP key 


File Edit View Go Capture Analyze Statistics 


TECH GALERIE EE: 


Telephony Wireless Tools Help 


Expression... = torrent 


cleanup. own : 


Time Source Destination Protocol Length Te Info 


128 27.128753 
131 27.301506 


192.168.20.132 
192.168.20.130 


192.168.20.130 
192.168.20.1 


SIP/SDP 
SIP/SDP 


278 
1174 


Request: INVITE sip:2222@192.168.20.130 | 
Request: INVITE sip:22220192.168.20.1:60168;ob | 


173 29.293203 


192.168.20.1 


192.168.20.130 


SIP/SDP 


1101 


Status: 200 OK | 


Shift+Right 
Ctrl+Right 
Ctrl+Left 


Expand Subtrees 
Expand All 
Collapse All 


178 29.314263 192.168.20.130 192.168.20.132 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
> Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): @ 
> Owner/Creator, Session Id (ο): - 3730471310 3730471311 IN IPA 192.168.5.114 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 0 


SIP/SDP 1131 Status: 200 OK | 


Apply as Column 


Apply as Filter 
Prepare a Filter 
Conversation Filter 
Colorize with Filter 


Follow 


All Visible Items Ctrl+Alt+Shift+A 


Session Attribute (a): X-nat:0 


Media Description, name and address (m): audio 4000 RTP/SAVP 
Connection Information (c): IN IP4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 


Media Attribute 
Media Attribute 
Attribute 
Attribute 
Attribute 
Attribute 
Attribute 


(a): 
(a): 
(a): 
(a): 
(a): 
(a): 


rtcp:4001 IN IP4 192.168.5.114 

sendrecv 

rtpmap:@ PCMU/8000 

rtpmap:101 telephone-event/8000 
fmtp:101 0-16 

ssrc:965767637 cname:66bf37b000942b74 
crypto:1 AES CM 128 HMAC SHA1 80 inline: 


All Visible Selected Tree Items 
Ctrl - Alt*Shift« D 
Ctrl+Alt+ Shift F 


Description 
Field Name 


As Filter Ctrl «Shift C 


Bytes as Hex + ASCII Dump 
..as Hex Dump 

as Printable Text 

..as a Hex Stream 
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Show Packet Bytes... 


Export Packet Bytes... Ctrl+H 


Wiki Protocol Page 
Filter Field Reference 


Protocol Preferences 


Decode As... 
Go to Linked Packet 
Show Linked Packet in New Window 


Edit View Go 
CECR EE EE 


Analyze Statistics 


Telephony Wireless 


Tools 


Help 


Time 
128 27.128753 
131 27.301506 


Source 
192.168.20.132 
192.168.20.130 


Destination 
192.168.20.130 
192.168.20.1 


Protocol 
SIP/SDP 
SIP/SDP 


173 29.293203 


192.168.20.1 


192.168.20.130 


SIP/SDP 


178 29.314263 


192.168.20.130 


192.168.20.132 


SIP/SDP 


4 Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 


Expand Subtrees 
Expand All 
Collapse All 


Apply as Column 


Prepare a Filter 
Conversation Filter 
Colorize with Filter 


Follow 


Libsrtp: Filtering for one sender 


Shift« Right 
Ctrl Right 
Ctrl Left 


d Expression... ` “SF torrent 


Not Selectett 
..and Selected 
...or Selected 
...and not Selected 


0100 .... - Version: 4 
. 0101 - Header Length: 20 bytes (5) Copy 

Differentiated Services Field: 0x00 (DSCP: CSO, ECN: Not-ECT) Show Packet Bytes... 

Total Length: 1087 Export Packet Bytes... Ctrl+H 

Identification: 0x14d4 (5332) 

Flags: 0x00 

Fragment offset: O 

Time to live: 128 

Protocol: UDP (17) 

Header checksum: 0x7806 [validation disabled] 


ee: checksum status: Unverified] 


Destination: 192.168.20.130 

[Source GeoIP: Unknown] 

[Destination GeoIP: Unknown] 
> User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 

Status-Line: SIP/2.@ 200 ΟΚ 


...or not Selected 


Wiki Protocol Page 
Filter Field Reference 


Protocol Preferences 


Decode As... 
Go to Linked Packet 
Show Linked Packet in New Window 
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Libsrtp: Filtering single RTP stream 


^ Normal Call two parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


No. Time ^' Source Destination Protocol Length Te Info ^ 


177 29.311833 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25650, Time-160, Mark 
189 29.332471 192.168.20. «711 PCMU, SSRC-0x399071D5, Seq-25651, Time=320 
193 29.352961 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq=25652, Time=480 
197 29.372665 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25653, Time=640 
204 29.393539 192.168.20. «711 PCMU, SSRC=0x399071D5, Seq-25654, Time=800 
208 29.413260 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25655, Time=960 
212 29.434077 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25656, Time-1120 
216 29.453993 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25657, Time-1280 
220 29.474710 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25658, Time=1440 
225 29.494627 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25659, Time-1600 
230 29.515344 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25660, Time=1760 
234 29.535085 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25661, Time-1920 
238 29.555804 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25662, Time-2080 
242 29.575801 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25663, Time-2240 
247 29.596513 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25664, Time-2400 
251 29.616324 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25665, Time-2560 
255 29.636923 192.168.20. 192.168.20.130 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x399071D5, Seq-25666, Time-2720 
260 29.657564 192.168.20. 192.168.20.130 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x399071D5, Seq-25667, Time-2880 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


192.168.20.130  SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130  SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 


Oc oco 0000000000000 00 


KA 
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Libsrtp: Exporting filtered traffic 


A Normal_Call_two_parties.pcap 


File | Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


Open Ctrl+O QQ 


+ + 
Open Recent 


Merge... 
Ta Info 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


Protocol 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 


Destination 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. SRTP 
ever 192.168. SRTP 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware_c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


Length 


224 
224 


Import from Hex Dump... 


Close Ctrl+W 


Save Ctrl+S 


Save As... Ctrl+Shift+S 


File Set 


Export Packet Bytes... 
Export PDUs to File... 
Export SSL Session Keys... 
Export Objects 


Print... 


«1 
ad 
1 
od 
el 
a | 
ay | 
od 
“1 
od 
od 
od 
od 
od 
sl 
* 
od 


Quit Ctrl+Q 


KA 
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ο D 0000000000000 0 00 


PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 


Expression... + 


SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 


Seg=25650, 
Seg=25651, 
Seg=25652, 
Seq=25653, 
Seq-25654, 
Seq=25655, 
Seq-25656, 
Seq-25657, 
Seqz25658, 
Seq-25659, 
Seq-25660, 
Seq=25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seq=25667, 


torrent 


Time=160, Mark 


Time=320 

Time=480 

Time=640 

Time=800 

Time=960 

Time=1120 
Time=1280 
Time=1440 
Time=1600 
Time=1760 
Time=1920 
Time=2080 
Time=2240 
Time=2400 
Time=2560 
Time=2720 
Time=2880 


cleanup own ssid 


Libsrtp: Saving exported traffic 


Savein | |. SIP + SRTP 


Name 

E) Call_to_VoiceMail.pcap 
CI [53 Conference Call three parties.pcap 
[3] Normal Call two parties.pcap 


Wireshark/tcpdump/... - pcap (*.dmp.gz;*.dmp;*.c v | 


[ JCompress with gzip 
Packet Range 
O) Captured 
(€) ΑΙ packets 2380 
(O) Selected packet 
Marked packets 


First to last marked 


(O) Range: | 


Remove Ignored packets 
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Libsrtp: Command 


./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7lwLqlzqE * < ./ 
Normal Call two parties Exported RTP.pcap 


Use message authentication 

Authentication tag size (80 bits so 10 bytes) 

Length of encryption key. In our case, AES CM 128 HMAC 5ΗΑΊ 80 is cipher. 
Hence, 128 bit key is used. 

SRTP key in ASCII format 
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Libsrtp: Command output 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7lwLqlzqE * < ../../Normal Call two part 
ies Exported RTP.pcap 

Using libsrtp2 2.2.0-pre [0x2020000] 

security services: confidentiality message authentication 


32 00 00 a0 39 
ff 7e 7e 7e fe 
f6 73 f2 f2 76 
27 29 2c 3a 3f 
a6 a3 9f 9e 9d 
97 97 97 97 98 
aa ac af c2 ce 
2c 29 27 27 27 
2d 2c 2b 
2f 47 4e 

b3 ae 


40 39 
a8 a6 
a6 a7 
c9 d7 
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Libsrtp: text2pcap help 


root@PentesterAcademy:-# text2pcap 
Must specify input and output αμ. 
i 


Usage: text2pcap [options] <infile> <outfile> 


here <infile> specifies input filename (use - for standard input) 
<outfile> specifies output filename (use - for standard output) 


Input: 
-0 hex|oct|dec 


-t <timefmt> 


parse offsets as (h)ex, (o)ctal or (d)ecimal; 

default is hex. 

treat the text before the packet as a date/time code; 
the specified argument is a format string of the sort 
supported by strptime. 

Example: The time "10:15:14.5476" has the format code 
"SSH : 8M: 85S . " 

NOTE: The subsecond component delimiter, '.', must be 
given, but no pattern is required; the remaining 
number is assumed to be fractions of a second. 

NOTE: Date/time fields from the current date/time are 
used as the default for unspecified fields. 

the text before the packet starts with an I or an 0, 
indicating that the packet is inbound or outbound. 
This is only stored if the output format is PCAP-NG. 
enable ASCII text dump identification. 

The start of the ASCII text dump can be identified 
and excluded from the packet data, even if it looks 
like a HEX dump. 

NOTE: Do not enable it if the input file does not 
contain the ASCII text dump. 


Libsrtp: text2pcap 


* text2pcap -t "%M:%S." -u 10000,10000 - - > ./Normal Call two parties Decrypted.pcap 
° + Treat the text before the packet as a date/time code 


5 %M:%S Time format 


° s Prepend dummy UDP header with specified source and destination ports 
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Libsrtp: Decrypting RTP traffic 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3Ht 


aHCSsB8WACeRBst9f7lwLqlzqE * < ./Normal Call two parties Exported RTP.pcap | text2pcap 
"t "%M:%S." -u 10000,10066 - - > j/Normal-Call^two-parties Decrypted.peap ` 


Input from: Standard input 
Output to: Standard output 
Output format: PCAP 
Generate dummy Ethernet header: Protocol: 0x800 
Generate dummy IP header: Protocol: 17 
Generate dummy UDP header: Source port: 10000. Dest port: 10000 
Using libsrtp2 2.2.0-pre [0x2020000] 
i : confidentiality message authentication 


set master key/salt 
Starting decoder 


packet 
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Libsrtp: Decrypted traffic 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 
OC ECH NC ERC ΣΚ’ laqa E 


el Apply a display filter ... <Ctrl-/> 


Time Destination Ta Info 
0.000000 E 19:22:20 214 10000 
0.020638 = 1710725272 10000 
0.041128 : 10:2:2-2 10000 
0.060832 5 1025202 10000 
0.081706 5 a Keeser, 10000 
0.101427 - 19 2:22 10000 
θ.122244 : 10722242 10000 
0.142160 5 als 22 10000 
0.162877 : 10727272 10000 
0.182794 - 10:2-272 10000 
0.203511 - 10520252 10000 
07223252 : 1072-22 10000 
0.243971 : 10722222 10000 
0.263968 E 10222 10000 
0.284680 5 10720272 10000 
0.304491 a 10:2:2:2 10000 
0.325090 5 19.2 2.2 10000 
0.345731 5 10725252 10000 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 

User Datagram Protocol, Src Port: 10000, Dst Port: 10000 

Data (172 bytes) 


Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 


T 
2 
3 
4 
5 
6 
TA 
8 
9 


e e 
Ro 


P PRR H 
NOU BU 


Y y y EA y y y y A y y y y y y yy 


= 
00 
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Libsrtp: Decode as 


Go Capture Analyze Statistics Telephony Wireless Tools Help 


ΒΘ! 4 93:6 8[-||Ξἑ| UE 


Source Destination Protocol Length Ta Info 
10111 10252» UDP 214 10000 > 10008 Len=172 
0.020638 TOTAL 1002222 UDP 214 10000 > 10000 Len-172 
0.041128 TO 10727272 — iP «214 18008 > 10000 Len=172 
0.060832 «(σσ σα] σαι 19520272 Mark/Unmark Packet Ctrl+M Len=172 
. 081706 1915151: 10.2.2.2 Ignore/Unignore Packet Ctrl+D Len=172 
«1961427 πο τι ΠΘ 2.2 Set/Unset Time Reference Ctrl+T Len=172 
.122244 πο τα η 19727202 Time Shift... Ctrl+Shift+T Len=172 
.142160 TOTA 10-222 — τος Cirl+AlteC Len=172 
«162877 161.153 10. 


22.2 Len=172 
. 182794 10-1-1-1 10:2-2-2 σαι... Len=172 
. 203511 16.11.1 10. 


2-2 Len=172 
2223252 20233171 10727272 Apply as Filter Len=172 
«243971 190.1.1.1 10. 


-2.2 Prepare a Filter Len=172 
. 263968 10-1-1-1 10-2-2-2 ' "ΕΙ. Len=172 
. 284680 101.151 10. 


.2.2 | | Len=172 
Colorize Conversation 

.304491 10.1.1.1 10.2.2.2 Len=172 

.325090 10.1.1.1 10.2.2.2 SEH Len=172 

.345731 10. 


18 1.1 10.2.2.2 Follow Len=172 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1 
Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 | Protocol Preferences 
User Datagram Protocol, Src Port: 10000, Dst Port: 10000 | 
Data (172 bytes) 


oan nau K WN Pp 


bh 
© 


GD bb HH 
συ bp UN 
NNNNNNNNNNN 


e 
e 
e 
e 
e 
e 
11 0 
e 
e 
e 
e 
e 
e 


PPPRPPRPRPPRPPRPPRPPRB 


e 
N 


© 
= 


Copy 


Show Packet in New Window 
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Libsrtp: Decode as RTP 


e Toma | mp 
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4 


File 
A = 


Edit View Go 


© 4 


Capture 


Time 

. 000000 
. 020638 
.041128 
.060832 
.081706 
.101427 
. 122244 
. 142160 
«162877 
«182794 
«203511 
«223252 
«243971 
«263968 
. 284680 
. 304491 
. 325090 
.345731 


T 
2 
3 
4 
5 
6 
TË 
8 
9 


Mee pà ga pá kä 
nu bw Hä o 
© oe © © ® o © o ® o o © © © elo © 


= 
N 


KA 
o 
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Libsrtp: Decrypted RTP traffic 


Analyze 


He 
HP 


SC «e 


ppp HP H HP H HP H H H HB BP PI PA Pp 


H|P HP HM HP Hm H HB HB PP P Alt H 
E HP HP RP B B IB iH HB B d dH dB kä PA» > 


Statistics 


+ 4 


Telephony 


Normal Call two parties Decrypted.pcap 


Wireless T 


Destination 


10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 


N 


N 
N 


N N N N N N N N N N N N N N NIN 


N NJ N N N N N FN N NN N N N NIN 
N N N N N N N N PN N N N N NN NIN N 


2 


a 


A 


ools Help 


O EF 
“ SË 


Length 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 


Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02: 


Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 


User Datagram Protocol, Src Port: 10000, Dst Port: 10000 


Real-Time Transport Protocol 
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Ta Info 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


02:02) 


DADDADA DA ADA D SQ Q 0 


Expression... + 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 


Seq=25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seq=25654, 
Seq=25655, 
Seq=25656, 
Seq=25657, 
Seq=25658, 
Seq-25659, 
Seq-25660, 
Seq-25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seq=25667, 


torrent 


Time=160, Mark 


Time=320 

Time=480 

Time=640 

Time=800 

Time=960 

Time=1120 
Time=1280 
Time=1440 
Time=1600 
Time=1760 
Time=1920 
Time=2080 
Time=2240 
Time=2400 
Time=2560 
Time=2720 
Time=2880 


cleanup own 4 


Libsrtp: Analysing RTP Streams 


4 


File 


Normal_Call_two_parties_Decrypted.pcap 


Edit View Go Capture Analyze Statistics Wireless Tools Help 


4 E © | à 


Time 

. 000000 
. 020638 
.041128 
.060832 
.081706 
.101427 
.122244 
.142160 
.162877 
.182794 
. 203511 
ny Yee pany 
«243971 
«263968 
. 284680 
. 304491 
. 325090 
. 345731 


oon nw K WN P 


PPP pá pá po H 
o um bw N Hä © 


0 
0 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


KA 
m 


18 


© 


KEQES 


pa 
— 


HP H P P HP HP HP HP HP HP H HP PP 
kë H HP HP H HP H H Hi H H H HB HB BIP P 


Kä kä m fd fd (S oM 3 M od CN 


+ 9 


Telephony 


VolP Calls 

ANSI 

GSM 

IAX2 Stream Analysis 
ISUP Messages 

LTE 

MTP3 


RTSP 

SCTP 

SMPP Operations 

UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 


Length 
214 
214 
214 
214 
214 


214 
214 
214 
214 
214 
214 
214 
214 


“TUTETETE 
10.2.2.2 
10.2.2.2 


NI 
RTP 
RTP 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (08:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 
User Datagram Protocol, Src Port: 10000, Dst Port: 10000 
Real-Time Transport Protocol 


214 
214 


Ta Info 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
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O00000000000000 005 0 


«711 
«711 
«711 
711 
ay pk | 
.711 
./11 
.711 
2/31 
Fil 
«411 
Fil 
«411 
Fil 
«711. 
«711 
ofan. 
. 711 


PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 


Seg=25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seg=25654, 
Seq=25655, 
Seq=25656, 
Seq=25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seqz25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seq-25667, 


v | Expression... + torrent deanup own ssi 


Time-160, Mark 


Time=320 

Time-480 

Time-640 

Time-800 

Time-960 

Time-1120 
Time-1280 
Time-1440 
Time-1600 
Time-1760 
Time-1920 
Time-2080 
Time-2240 
Time-2400 
Time=2560 
Time=2720 
Time=2880 


Libsrtp: Analysing RTP Streams 


d 


10.1.1.1:10000 ++ Forward | Reverse | Graph 


10.2.2.2:10000 


(χκοι Sequence Delta (ms) Jitter(ms) Skew Bandwidth Marker Status 
520 26169 19.59 0.82 -183 81.60 J 
SSRC 0x399071d5 519 26168 20.50 0.84 -2.24 81.60 
Max Delta 31.03 ms @ 220 518 26167 20.60 0.87 -174 81.60 
Max Jitter 2.25 ms 517 26166 20.50 0.89 -1.14 81.60 
ec a 516 26165 19.67 0.91 -0.63 81.60 

x EW H ms 

ERE 515 26164 20.45 0.95 -0.96 81.60 
Expected 520 514 26163 20.71 0.98 -0.50 81.60 
TUA 0 (0.00 96) 513 26162 20.51 100 021 81.60 
SeqErrs 0 512 26161 19.25 103 071 81.60 
Start at ` 0.000000s Q 1 511 26160 20.34 105 -004 81.60 
Duration 10385 510 26159 20.64 110 031 81.60 
ae 509 26158 10.07 113 0.95 81.60 
Freq Drift 8000 Hz (0.00 96) 

508 26157 20.54 0.54 -8.99 80.00 
Reverse 507 26156 20.45 0.54 -845 80.00 
506 26155 20.31 0.55 -8.00 80.00 
SSRC Ox00000000 505 26154 20.57 0.57 -7.69 80.00 
> Eis ee ms @ 0 504 26153 20.48 057 -7.12 80.00 

X d ms 

NU. 503 26152 19.65 0.57 -6.64 80.00 
βρες αν 502 26151 20.49 0.59 -6.99 80.00 
RTP Packets O 501 26150 20.44 059 -6.50 80.00 
Expected 1 500 26149 20.50 0.60 -6.05 80.00 
Lost 1 (100.00 %) 499 26148 20.52 0.61 -5.55 80.00 
Seu Errs 0 498 26147 19.61 0.62 -5.03 80.00 
ο ο gh O 497 26146 20.60 063 -5.42 80.00 
Duration 0.00 s 
ο... 496 26145 20.37 0.63 -482 80.00 
Freq Drift — 1 Hz (0.00 96) 495 26144 20.54 0.65 -4.45 80.00 
494 26143 20.46 0.66 -3.91 80.00 
493 26142 19.58 0.67 -345 81.60 


Forward 


Ae η. Ge D. ον Se Sr SS Se SS SS SS 
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Libsrtp: Playing decrypted call 


0 15 4.5 6 7.5 9 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 
10.1.1.1 10000 10.2.2.2 10000 0x399071d5 4294967295 520 0 - 10.4 (10.4) 8000 g711U 


> E Output Device: Speakers (Realtek High Definition Audio) - 


Jitter Buffer: 50 $] Playback Timing: Jitter Buffer [C] Time of Day 
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Other Important Parts? 


* DTMF 


* Messages (SMS) 


* Exporting Call 
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RTP DIMF 


4 DTMF_Lab_1_SIP+RTP_1_to_9.pcap 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


AMBIO LESS eve SEIS Aaa 


Expression... + torrent cleanup own ssid ` cleanup. probe 


Time Source Destination Protocol Length Te Info ^ 
2594 58.778242 192.168.20.130 192.168.20.1 RTP 214  PT=ITU-T 6.711 PCMU, SSRC=0x4BDB6ESA, Seq=21265, Time-97280 
2595 58.792695 192.168.20.1 192.168.20.130 RTP 214  PT-ITU-T 6.711 PCMU, SSRC-0x294823, Seq-12503, Time-97920 
2596 58.793139 192.168.20.130 192.168.20.136 RTP 214  PT-ITU-T 6.711 PCMU, SSRC-0x71781F5A, Seq-1568, Time-97920 
2597 58.798669 192.168.20.136 192.168.20.130 58 Payload type=RTP Event, DTMF One 1 
2598 58.799694 192.168.20.130 192.168.20.1 60  Payload type-RTP Event, DTMF One 1 
2599 58.799754 192.168.20.130 192.168.20.1 60 Payload type=RTP Event, DTMF One 1 
2600 58.813964 192.168.20.1 192.168.20.130 RTP PT-ITU-T 6.711 PCMU, SSRC-0x294823, Seq-12504, Time-98080 
2601 58.814147 192.168.20.130 192.168.20.1 | RTP EVENT ` 60 Payload type-RTP Event, DTMF One 1 
2602 58.814239 192.168.20.130 192.168.20.136 RTP PT-ITU-T 6.711 PCMU, SSRC-0x71781F5A, Seq-1569, Time-98080 
2603 58.818706 192.168.20.136 192.168.20.130 RTP EVENT 58 Payload type-RTP Event, DTMF One 1 


Frame 2597: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) 
Ethernet II, Src: Vmware 23:37:1f (00:50:56:23:37:1f), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.136, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 16290 
Real-Time Transport Protocol 
4 RFC 2833 RTP Event 


End of Event: False 
- Reserved: False 
= Volume: 10 
Event Duration: 160 


©PentesterAcademy.com 


SIP Message 


Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 
$ EIS eo oe g 


Expression... kb torrent cleanup own 9 


Source Destination Protocol Length Ta Info 
60 33.429572 192.168.20.130 192.168.20.136 SIP 543 Status: 202 Accepted | 
61 33.429573 192.168.20.130 192.168.20.1 SIP 513 sip:2222@192.168.20.1:63825;0b | (text/plain) 
| 62 33.430944 192.168.20.1 192.168.20.130 SIP 348 Status: 288 OK |  ,. 


Frame 61: 513 bytes on wire (4104 bits), 513 bytes captured (4104 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
User Datagram Protocol, Src Port: 5160, Dst Port: 63825 
4 Session Initiation Protocol (MESSAGE) 

Request-Line: MESSAGE sip:2222@192.168.20.1:63825;0b SIP/2.0 
4 Message Header 

> Via: SIP/2.0/UDP 192.168.20.130:5160;branch-z9hG4bK5a87574e 

Max-Forwards: 70 


- From: "Unknown" <sip:11110192.168.20.130:5160>;tag=as008f816f 
To: <sip:22220192.168.20.1:63825500> 


> Contact: <sip:11110192.168.20.130:5160> 
Call-ID: 073e1f452da9a1e17dbf255754c503a90[::1]:5160 
CSeq: 102 MESSAGE 
User-Agent: FPBX-13.0.194.2(13.12.1) 
Content-Type: text/plain;charset-UTF-8 
Content-Length: 29 

4 Message Body 
4 Line-based text data: text/plain 
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PCAP2WAV: Online service 


€ C © Not secure | pcap2wav.xplico.org A 


Demo 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time e Only network files (CAP, PCAP) are allowed. 
Audio). « The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. * Uploaded files will be deleted automatically at 00:00 GMT. 
Try it now, drag & drop here the PCAP file. e You can drag & drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


Bi Delete 
au) 
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PCAP2WAV: Uploading PCAP and Downloading Wav 


TE C  Q Notsecure | pcap2wav.xplico.org À 


Demo 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time * Only network files (CAP, PCAP) are allowed. 
Audio). e The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. e Uploaded files will be deleted automatically at 00:00 GMT. 
Try itnow, drag & drop here the PCAP file. e You can drag & drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


| @ Delete WAV Files: 
\ ) 


SIP+RTP call trace from « | PBX.pcap 226.76 KB 
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PCAP2WAV: Wav in audacity 


a πρ 0 1 1522092588 13080.pcap-media-1 
File Edit Select View Transport Tracks Generate Effect Analyze Help 


mme i i i i i i i i i i i i i i i i i i ` i 
" 5 1-2 8 -57-54-51-48 45-42: Click to Start Monitoring 11 -18-15-12 -9 6 30 X O O tuto wx 


U Microphone (Realtek Hi: v | 2 (Stereo) Reci v Ch Microsoft Sound Mappe v 


L 8 8 8 D ° 8 8 D 8 e 8 D 9 è Q ' g . g ' + Se 
Q es Ἂς Ch R “57-54-51 48 -45 -42 -39 -36 -33 -30 -27 -24 -21 -18 -15-12 9 6 -3 0 U e) 


0,0 1.0 2.0 3.0 


X|rtp 0 1 152w 


Mono, 8000Hz 
32-bit float 


^ 
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PCAP2WAV: Offline script 


* Bash script to extract the audio from VoIP calls 


* Outputs .wav file 


e Uses tshark and sox 


* GitHub: https://gist.github.com/avimar/d2e9d05e082ce273962d742eb9acac16 
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PCAP2WAV: Help 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh -h 
pcap2wav is a simple utility to make it easier to extract the audio from a pcap 
Dependencies: 

apt-get install -y tshark sox 

yum install wireshark sox 


Usage: 


pcap2wav [opts] filename.pcap [target filename] 


Script attempts to create a few files: a .<codec> file and a .wav file for each RTP stream 


It requires Tshark to be installed on the system. If a codec other than PCMA or PCMU 
is used then the script will attempt to use fs cli to decode and create a wav. 


Supported codecs: 

PCMU (G711 ulaw) 

PCMA (G711 Alaw) 

GSM 

G722 (requires fs encode) 

6729 (requres fs encode with mod com 9729) 


Supported options: 
-Z Perform "clean and zip" - After converting to wav files the program will “clean up" 
by putting the wav files into a .tgz file and then removing 
the .wav and .<codec> files from the disk. 
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PCAP2WAV: Installing tshark and sox 


root@hentesterAcadeny:/wori® aptaget install ay EShark SOX 


Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
tshark is already the newest version (2.4.4-1). 
The following additional packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 
Suggested packages: 
libsox-fmt-all 
The following NEW packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 sox 
O upgraded, 4 newly installed, O to remove and 1826 not upgraded. 
Need to get 530 kB of archives. 
After this operation, 1,292 kB of additional disk space will be used. 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox3 amd64 14.4.2-3 [264 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-alsa amd64 14.4.2-3 [51.3 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-base amd64 14.4.2-3 [72.8 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 sox amd64 14.4.2-3 [142 kB] 
(84.7 kB/s) 
Selecting previously unselected package libsox3:amd64. 
(Reading database ... 336924 files and directories currently installed.) 
Preparing to unpack .../libsox3 14.4.2-3 amd64.deb ... 
Unpacking libsox3:amd64 (14.4.2-3) 
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PCAP2WAV: Running the tool 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh SIP+RTP call trace from caller to PBX.pcap ./output call.wav 
Found SIP+RTP call trace from caller to PBX.pcap, working... 
Using ./output call.wav 
Checking SIP+RTP call trace from caller to PBX.pcap for RTP streams... 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 
[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/Captu 
reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 
[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/Captu 
reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Target files to create: 


and 

and 
Stream 1 ssrc / port: Oxofbboc8d / 13080 
Stream 2 ssrc / port: Ox4fcef5la / 4004 


Extracting payloads 1 from OxOfbbOc8d... 

Extracting payloads 2 from Ox4fcef5la... 

Combining 2 streams into a single wav file for convenience 

No clean option specified - leaving .<codec> and .wav files on system. 
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PCAP2WAV: Directory contents 


* Directory content before running the script 


root@PentesterAcademy: /work/pcap2wav# Is -1 
total 232 
-rwxr-xr-x 1 root root 5927 Mar 27 01:18 pcap2wav.sh 
1 root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 


* Directory content after running the script 


root@PentesterAcademy: /work/pcap2wav# ls -l 
total 592 
-rw-r--r-- 
-rw-r--r-- 
-rw-r--r-- 


root root 70240 Mar 27 03:57 output call.wav 1.PCMU 
root root 70298 Mar 27 03:57 
root root 70880 Mar 27 03:57 output call.wav 2.PCMU 


root root 760938 Mar 27 03:57 
root root 5927 Mar 27 01:18 pcap2wav.sh 
1 root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 


-rw-r--r-- 
-rwxr-xr-x 


1 
1 
1 
-rw-r--r-- 1 root root 70938 Mar 27 03:57 
1 
1 
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PCAP2WAV: Wav in audacity 


File Edit Select View Transport Tracks Generate Effect Analyze Help 
4, e -57 -54 -51 -48 AS -42 -: Click to Start Monitoring !1-18-15-12 -9 6 -3 0 X (a [9 With ο EL KA 
Q + * Wi) L —-57 -54-51-48 -45-42 39-36 -33-30 -27 -24 -21 -18 -15-12 9 6 -3 0 | 8 ο) : o 


H > mm |! hM 8 


+ 


—GB— 
ν U Microphone (Realtek Hi: v |2 (Stereo) Recc v q) Microsoft Sound Mappe v 
1.0 1.0 2.0 3.0 
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VolPShark 


e Collection of Wireshark plugins to 
— Decrypt VoIP calls 
— Export call audio 
— Overview of traffic (Extensions, SMS, DTMF) 
— Common VolP attacks 


VGIP 


e GPL just like Wireshark 


e Github: github.com/pentesteracademy/voipshark 
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VolPShark: Need? 


Cumbersome and complex process 


Multiple tools 


— Need compilation, hence time consuming to set-up 
— Not easy to use 


— User dependent, prone to mistakes 


Inability to retain timestamp, IP addresses etc. during decryption 


Live traffic not supported 
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Why Wireshark Plugins? 


Plug and play 

Plugins can be 

— Lua scripts 

— Compiled C/C++ code 
Harnessing power of Wireshark 


OS independent 


Large user base 
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SA 
WIRESHARK 


Chained 
Dissector 


Wireshark Plugins Types 


Dissector 


Post 
Dissector 


Plugin 


Listener/Tap 


Heuristic 
Dissector 
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Dissector 


* To interpret the payload data 


* Decodes its part of the protocol and passes the payload to next 


Example Dissection Flow 
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Chained Dissector 


Takes data from previous dissector, processes its part and pass the payload to next 
dissector 


Example Dissection Flow 


Ethernet — Custom — IP TCP HTTP | 


N Chained 


Dissector 
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VolPShark: Hook in Dissector Chain 


IP Layer 
Parser 


TCP/UDP SIP/SDP/RTP/SRTP 
Parser 
VolPShark 
Upper Layer 


Parser 


Wireshark 
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VolPShark: Overall Architecture 


New Stream 
Notifier 


Wireshark 
SIP 


Audio 
Reconstruction 
Engine 


RTP/SRTP 


Encoding 
Engine 


"e tion ale gege 
Sie Correlation Extraction 
8 Engine Engine 


Packet 


Flow Analysis 
Engine 


Reconstruction Audio File 
Engine 
Wireshark File System 


OPentesterAcademy.com 


VolPShark: Decryption Routines 


DISSECTOR 
SDP or SRTP E 


EXTRACTOR 


SSRC, SEQ NUM 
PREDEFINED 


LABELS 


EXTRACTOR ENCRYPTED 


PAYLOAD 


DECRYPTOR 
KEY DERIVATOR SESSION RTP PAYLOAD 
SESSION ENCRYPTION 
ENCRYPTION KEY 


KEY 
SESSION SALT KEY 


MEDIA PORTS 
SENDER IP 
RECEIVER IP 


KEY EXTRACTOR 


MASTER KEY 
MASTER SALT 


0,2 


Plugins locations 


* Check Help > About Wireshark > Folders 


Windows Ubuntu 


About Wireshark 


Wireshark Authors Folders | Plugins License 


Authors | Folders | Plugins | Keyboard Shortcuts | License | Name Folder 

| "File" dialogs [root/ 
Typical Files Temp [tmp 
Personal configuration /root/.wireshark/ "dfilters", "preferences", "eth 
Global configuration ` /usr/share/wireshark "dfilters", "preferences", "ma 
untitled capture files System [etc "ethers", "ipxnets" 


[usr/bin 


Wireshark Typical Files 


capture files 


Name Location untitled capture files 


"File" dialogs C:\Users\Nishant\Deskto...iting Wireshark Plugin) capture files 
Temp C:\Users\Nishant Data\Local\Tem 


Personal configuration C:\Users\Nishant\AppData\Roaming\Wireshark\ 


Program program files 


dfilters, preferences, ethers, ... 


Global configuration 
System 
Program 


C:\Program Files\Wireshark 
C:\Program Files\Wireshark 
C:\Program Files\Wireshark 


C:\Program Files\Wireshark\extca 


dfilters, preferences, manuf, ... 


ethers, ipxnets 


program files 


Extcap Plugins search path 
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Decrypting SRTP: SRTP Packets 


a Normal_Call_two_parties.pcap -— X 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
mOrA esre Shaqa 


Expression... + 


No. Time Source Destination Protocol Length SSID Sequence number Info 

[| 177 29.311833 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 

i 183 29.316949 192.168.260.130 192.168.260.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 

| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 

i 190 29.333063 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6! 

| 191 29.334585 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 

i 194 29.353301 192.168.20.130 192.168.20.132 224 PT=ITU-T 6.711 PCMU, SSRC=0x6 

| 195 29.354843 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 

i 198 29.372952 192.168.260.130 192.168.260.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 

I 100 ^O 27c1cA 109 IEO 94 129 109 1€0 τω 12A 994 DT-TTH.T / 744 OMI ecor-awt 

< > 

> Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

> Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 

» Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

» User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

» Real-Time Transport Protocol 
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Decrypting SRTP: Enabling Auto Decryption 


| M Wireshark - Preferences ? X 


UA ^| VolPShark 
UASIP 


μυ» | E 
UBERTOOTH 
UCP 

UDP 
UDP-Lite 
UDPENCAP 
UDT 

UFTP 

UHD 

ULP 

UMA 
UNISTIM 
USB 

USB DFU 
USBIP 
UserLog 
VCDU 

VICP 

Vines FRP 
VITA 49 
VLAN 

VNC 
VOIPSHARK 
VP8 

VRRP M 


Cal ow | we 


Decrypting SRTP: Decrypted SRTP (RTP) 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4m-i0611752«993e9*€$9-54aastXEX 


Expression... 4 

No Time Source Destination Length SSID Sequence number Info ES 
| E 177 29.311833 192.168.20.1 192.168.20.130 (Ἢ 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
I 183 29.316949 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6! 
| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
I 190 29.333063 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x61 
| 191 29.334585 192.168.20.132 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRC=0x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
I 194 29.353301 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRCz0x6! 
| 195 29.354843 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
i 198 29.372952 192.168.260.130 192.168.206.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6! 
| 100 ^O 2761760 109 160 IA 129 109 1€0 IA 130 994 Ότ-ττιι.Ττ & 744 DMI ccDC.aw1 
< > 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


V Vv vv d 
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VolPShark: Exporting Call Audio 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A ΠῚ © A € - = * e Raa Firewall ACL Rules 


Lua k 


Sequence numb: 


No Time Source Destination : ` 
E 177 29.311833 192.168.20.1 192.168.20.130 RTP id wile: 
| 183 29.316949 192.168.20.130 192.168.20.132 RTP VOIP Attack Detection 
| 189 29.332471 192.168.20.1 192.168.20.130 RTP 224 
190 29.333063 192.168.20.130 192.168.20.132 RTP 224 
| 191 29.334585 192.168.20.132 192.168.20.130 RTP 224 
192 29.334904 192.168.20.130 192.168.20.1 RTP 224 
193 29.352961 192.168.20.1 192.168.20.130 RTP 224 
194 29.353301 192.168.20.130 192.168.20.132 RTP 224 
| 195 29.354843 192.168.20.132 192.168.20.130 RTP 224 
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Exporting Call Audio: Specifying Location and File name 


AM Wireshark - Export Wav 


Location 


(Default: Casei ishnë Documents) ο | 


File prefix 


(Default: PA-export) voipeall 
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Exporting Call Audio: Exported Streams 


AN Wireshark - Export Wav 4 X 


Streams Found: 4 


Stream 1 Exported Successfully! 


Please Check: C:\Users\Nishant Desktop Wodp-call-192.168.20.130-192.168.20.1-0x4efa778b.wav 


Stream 2 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-call-192.168.20.130-192.168.20.132-0x60542655 .wav 


Stream 3 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-call-192.168.20.132-192.168.20.130-@x15bd2f81.wav 


Stream 4 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-cal1-192.168.20.1-192.168.20.130-0x399071d5.wav 
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VolPShark: SIP Information Gathering 


Go Capture Analyze Statistics ` Telephony Wireless Help 


É ο O Ὁ EF S = = aaa Firewall ACL Rules 


Lua 


Time Source Destination 

29.311833 192.168.20.1 192.168.20.130 RIP T 
29.316949 192.168.20.130 ^. 192.168.20.132 RTP = VOIP Attack Detection E G.7: 
29.332471 192.168.20.1 192.168.20.130 RTP 224 G.7: 
29.333063 192.168.20.130 192.168.20.132 RTP 224 G.7: 
29.334585 192.168.20.132 192.168.20.130 RTP 224 G.7: 
29.334904 192.168.20.130 192.168.20.1 RTP 224 G.7: 
29.352961 192.168.20.1 192.168.20.130 RTP 224 UT GA 
29.353301 192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.7: 
29.354843 192.168.20.132 192.168.20.130 RTP 224 PT=ITU-T G.7: 
29.355005 192.168.20.130 192.168.20.1 RTP 224 PT=ITU-T G.7: 
29.372665 192.168.20.1 192.168.20.130 RTP 224 PT=ITU-T G.7: 
29.372952 192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.7: 
na οσοι σα assess JA 499 109 1€0 NA 420 DTD 994 συ μι aeg 
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SIP Information Gathering : DTMF 


M Wireshark - DTMF Sequence ? X 


Call Source | Call Destination | Media Port DTMF Sequence 


192.168.20.130 | 192.168.20.1 


Res || se [ae 
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SIP Information Gathering: Extensions 


a Wireshark - Extensions 


Reset 


| Search 
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SIP Information Gathering: RTP Packet Transfers 


^a Wireshark - RTP Packet Transfers ? X 


Call ID Media Port | Packets Sent | Packets Recieved | 


|df715f19130d447a8d790f6c57c6a049| 192.168.20.130 | 192.168.20.132 | 17786<->4000 


Highlight: | | 
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SIP Information Gathering : SIP Auth Export 


MI Wireshark - SIP Auth Export ? X 


| 192.168.20.132 | 192.168.20.130 
$sip$***1111*asterisk*REGISTER*sip*192.168.20.130**1522268723/ 
f872129e9c735809884cb64de141967e*1c109c4b8a064ef5ae277c4d7d07c4d1*00000001*auth*MD5*6a09af4b796d1b5ff376726f 


a9aelad9 


| 192.168.20.1 | 192.168. 26.136 | f28aa9d6f10944e06f8693337fd3ba19 
$sip$***2222*asterisk*REGISTER*sip*192.168.20.130**1522268729/ 
b27f0c3e27b25533a8ae9a41de712696*81aca7938c994d1d93d4abc8007095b5*00000001*auth*MD5*f28aa9d6f10944e06f869333 


7fd3ba19 
| 


wen ας [a 
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SIP Information Gathering : Servers and Proxy 


M Wireshark - Servers and Proxy ? X 


tot se 
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SIP Information Gathering: Unique Messages 


M Wireshark - Unique Messages ? X 


Message 


Highlight: | 
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VolPShark: VolP Attack Detection 


ture Analyze Statistics Telephony Wireless Tools Help 


| OH € 9 E == aaa Firewall ACL Rules 


ο. [ER 


Export Wav 


109 12° 


na 129 


109 120 SJA 128 


994 
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DT-TTI!I-T 


Source Destination — στον . l Sequence number Info 

| 192.168.20.1 |192.168.20.130  RTP m A id A EE PT-TTII-T G.711 
192.168.20.130 192.168.20.132 RTP τ G.711 
192.168.20.1 192.168.20.130 RTP 16.71 
192.168.20.130 192.168.20.132 RTP T 6.711 
192.168.20.132 192.168.20.130 RTP T 6.711 
192.168.20.130 192.168.20.1 RTP T 6.711 
192.168.20.1 192.168.20.130 RTP T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.711 
192.168.20.132 192.168.20.130 RTP 224 PT=ITU-T G.711 
192.168.20.130 192.168.20.1 RTP 224 PT=ITU-T G.711 
192.168.20.1 192.168.20.130 RTP 224 PT=ITU-T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.711 


VolP Attack Detection: Bruteforce 


M Wireshark - Brute Force ? X 
| S.no | Attacker Machine | Target Extension | Target Machine | Requests Sent | Failed Attempts | Requests Per second | 
EE | 
| 1 | 192.168.20.134 | 1111 | 192.168.20.130 | 7 | 6 | 167.54 | 
(———————————————— M | 
| 2 | 192.168.20.134 | 2222 | 192.168.20.13 | 9 | 8 | 151.65 | 


Highlight: 
Reset Search L cose | 
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VolP Attack Detection: Invite Flooding 


M Wireshark - Invite Flooding ? X 


192.168.20.134 | PentesterAcademy 


Highlight: | 
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VolP Attack Detection: Message Flooding 


M Wireshark - Message Flooding 


192.168.20.134 | 192.168.20.130 | 


Reset 


Search 
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S.no | Attacker Machine | Target Machine | Messages Sent | Messages Per second 


VolP Attack Detection: ΜΙΤΜ Attempts 


M Wireshark - MITM Attempts ? X 


00:0c:29:9c:2f:3f | 48:0f:cf:4b:06:c9 |48:0f:cf:4b:06:c9| 
| ,48:0f:cf:4b:06:c9 | ,f8:a9:63:4b:c4:4d | 


Reset || serh | [ oe 
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VolP Attack Detection: Unauthenticated Users 


M Wireshark - Unauthenticated Users ? X 


Username | Call Destination | 


res || Sm 
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Q&A 


Github: github.com/pentesteracademy/voipshark 
nishant@attackdefense.com 
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